Expose Browbeat Results Port
On OSPd10 we ran into a port collision with zaqar-server listening to port 9000. Originally port 9000 was chosen because it is less "work" to allow selinux to let httpd listen on that port. This commit allows us to change the port and handle selinux still. PS#3 - Implemented Justin's suggestion on using the ansible module rather than a shell command to semanage. Do note that I have run into inconsistent behavior with the module if you are running older than ansible 2.1.1. See this now fixed ansible issue: PS#5 - Just use semanage, Ansible upstream does not have seport fixed yet. View response on github for further details. https://github.com/ansible/ansible-modules-extras/issues/2009 PS#7 - Now persists the iptables rule and results_in_httpd is renamed to browbeat_results_in_httpd and exposed in the typical vars file. PS#12 - Implemented wfoster's handle firewalld/iptables ansible tasks. Change-Id: Ia859c6d87d6c4aba69c0db48be6b434d31162c72
This commit is contained in:
parent
af2492e285
commit
53e0325424
@ -10,8 +10,6 @@
|
|||||||
|
|
||||||
- hosts: undercloud
|
- hosts: undercloud
|
||||||
remote_user: "{{ local_remote_user }}"
|
remote_user: "{{ local_remote_user }}"
|
||||||
vars:
|
|
||||||
results_in_httpd: false
|
|
||||||
roles:
|
roles:
|
||||||
- common
|
- common
|
||||||
- browbeat
|
- browbeat
|
||||||
|
@ -5,6 +5,9 @@ tripleo: true
|
|||||||
|
|
||||||
browbeat_path: /home/stack/browbeat
|
browbeat_path: /home/stack/browbeat
|
||||||
home_dir: /home/stack
|
home_dir: /home/stack
|
||||||
|
# Configuration items to adjust browbeat results served through httpd
|
||||||
|
browbeat_results_port: 9001
|
||||||
|
browbeat_results_in_httpd: true
|
||||||
supported_distro: ((ansible_distribution == "CentOS" && ansible_distribution_major_version >= "7") or
|
supported_distro: ((ansible_distribution == "CentOS" && ansible_distribution_major_version >= "7") or
|
||||||
(ansible_distribution == "RedHat" && ansible_distribution_major_version >= "7"))
|
(ansible_distribution == "RedHat" && ansible_distribution_major_version >= "7"))
|
||||||
|
|
||||||
|
@ -135,30 +135,84 @@
|
|||||||
- name: Install shaker
|
- name: Install shaker
|
||||||
pip: name=pyshaker version=0.0.14 virtualenv={{ shaker_venv }}
|
pip: name=pyshaker version=0.0.14 virtualenv={{ shaker_venv }}
|
||||||
|
|
||||||
### begin firewall ###
|
#
|
||||||
# we need TCP/5555 open
|
# Serve results out of httpd if browbeat_results_in_httpd is set to true
|
||||||
# determine firewall status and take action
|
#
|
||||||
# 1) use firewall-cmd if firewalld is utilized
|
|
||||||
# 2) insert iptables rule if iptables is used
|
|
||||||
|
|
||||||
|
- name: Setup browbeat.conf in /etc/httpd/conf.d
|
||||||
|
template:
|
||||||
|
src: 00-browbeat.conf.j2
|
||||||
|
dest: /etc/httpd/conf.d/00-browbeat.conf
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0644
|
||||||
|
become: true
|
||||||
|
when: browbeat_results_in_httpd
|
||||||
|
notify:
|
||||||
|
- restart httpd
|
||||||
|
|
||||||
|
- name: Set seboolean(httpd_read_user_content)
|
||||||
|
seboolean: name=httpd_read_user_content state=yes persistent=yes
|
||||||
|
become: true
|
||||||
|
when: browbeat_results_in_httpd
|
||||||
|
|
||||||
|
- name: Allow httpd to serve content in "{{ home_dir }}"
|
||||||
|
file: path="{{ home_dir }}" state=directory mode=0755
|
||||||
|
when: browbeat_results_in_httpd
|
||||||
|
|
||||||
|
# (akrzos) Port 9000 is already in use by zaqar-server (OSPd10) and thus the fact that likely the
|
||||||
|
# user will choose a port that is not enabled by selinux to allow httpd to listen, we need to modify
|
||||||
|
# the ports enabled by selinux for httpd. If the port is already defined you will run into this
|
||||||
|
# issue if you use the "seport" ansible module:
|
||||||
|
# https://github.com/ansible/ansible-modules-extras/pull/2694
|
||||||
|
# This is not in upstream Ansible releases as of 2.1.1.0
|
||||||
|
- name: Allow httpd to listen to port ({{browbeat_results_port}})
|
||||||
|
shell: "/usr/sbin/semanage port -m -t http_port_t -p tcp {{browbeat_results_port}}"
|
||||||
|
become: true
|
||||||
|
when: browbeat_results_in_httpd
|
||||||
|
|
||||||
|
### Begin Shaker port and browbeat_results_port firewall tasks###
|
||||||
# Firewalld
|
# Firewalld
|
||||||
- name: (shaker) Determine if firewalld is in use
|
- name: Determine if firewalld is in use
|
||||||
shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
|
shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
|
||||||
ignore_errors: true
|
ignore_errors: true
|
||||||
register: firewalld_in_use
|
register: firewalld_in_use
|
||||||
no_log: true
|
no_log: true
|
||||||
|
tags:
|
||||||
|
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||||
|
# Need to check if firewall is in use
|
||||||
|
- skip_ansible_lint
|
||||||
|
|
||||||
- name: (shaker) Determine if firewalld is active
|
- name: Determine if firewalld is active
|
||||||
shell: systemctl is-active firewalld.service | grep -vq inactive
|
shell: systemctl is-active firewalld.service | egrep -vq 'inactive|unknown'
|
||||||
ignore_errors: true
|
ignore_errors: true
|
||||||
register: firewalld_is_active
|
register: firewalld_is_active
|
||||||
no_log: true
|
no_log: true
|
||||||
|
tags:
|
||||||
|
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||||
|
# Need to check if firewall is active
|
||||||
|
- skip_ansible_lint
|
||||||
|
|
||||||
- name: (shaker) Determine if TCP/{{shaker_port}} is already active
|
- name: (shaker) Determine if TCP/{{shaker_port}} is already active
|
||||||
shell: firewall-cmd --list-ports | egrep -q "^{{shaker_port}}/tcp"
|
shell: firewall-cmd --list-ports | egrep -q "^{{shaker_port}}/tcp"
|
||||||
ignore_errors: true
|
ignore_errors: true
|
||||||
register: firewalld_tcp{{shaker_port}}_exists
|
register: firewalld_tcp{{shaker_port}}_exists
|
||||||
no_log: true
|
no_log: true
|
||||||
|
tags:
|
||||||
|
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||||
|
# Need to check if port is already active
|
||||||
|
- skip_ansible_lint
|
||||||
|
|
||||||
|
- name: (browbeat_results) Determine if TCP/{{browbeat_results_port}} is already active
|
||||||
|
shell: firewall-cmd --list-ports | egrep -q "^{{browbeat_results_port}}/tcp"
|
||||||
|
when: browbeat_results_in_httpd
|
||||||
|
ignore_errors: true
|
||||||
|
register: firewalld_tcp{{browbeat_results_port}}_exists
|
||||||
|
no_log: true
|
||||||
|
tags:
|
||||||
|
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||||
|
# Need to check if port is already active
|
||||||
|
- skip_ansible_lint
|
||||||
|
|
||||||
# add firewall rule via firewall-cmd
|
# add firewall rule via firewall-cmd
|
||||||
- name: (shaker) Add firewall rule for TCP/{{shaker_port}} (firewalld)
|
- name: (shaker) Add firewall rule for TCP/{{shaker_port}} (firewalld)
|
||||||
@ -170,13 +224,40 @@
|
|||||||
become: true
|
become: true
|
||||||
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp{{shaker_port}}_exists.rc != 0
|
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp{{shaker_port}}_exists.rc != 0
|
||||||
|
|
||||||
|
- name: (browbeat_results) Add firewall rule for TCP/{{browbeat_results_port}} (firewalld)
|
||||||
|
command: "{{ item }}"
|
||||||
|
with_items:
|
||||||
|
- firewall-cmd --zone=public --add-port={{browbeat_results_port}}/tcp --permanent
|
||||||
|
- firewall-cmd --reload
|
||||||
|
ignore_errors: true
|
||||||
|
become: true
|
||||||
|
when: browbeat_results_in_httpd and firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp{{connmon_port}}_exists.rc != 0
|
||||||
|
|
||||||
# iptables-services
|
# iptables-services
|
||||||
- name: (shaker) check firewall rules for TCP/{{shaker_port}} (iptables-services)
|
- name: (shaker) check firewall rules for TCP/{{shaker_port}} (iptables-services)
|
||||||
shell: grep "dport {{shaker_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
|
shell: grep "dport {{shaker_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
|
||||||
ignore_errors: true
|
ignore_errors: true
|
||||||
register: iptables_tcp5555_exists
|
become: true
|
||||||
|
register: iptables_tcp{{shaker_port}}_exists
|
||||||
failed_when: iptables_tcp{{shaker_port}}_exists == 127
|
failed_when: iptables_tcp{{shaker_port}}_exists == 127
|
||||||
no_log: true
|
no_log: true
|
||||||
|
tags:
|
||||||
|
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||||
|
# Need to check if port is already active
|
||||||
|
- skip_ansible_lint
|
||||||
|
|
||||||
|
- name: (browbeat_results) Check firewall rules for TCP/{{browbeat_results_port}} (iptables-services)
|
||||||
|
shell: grep "dport {{browbeat_results_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
|
||||||
|
when: browbeat_results_in_httpd
|
||||||
|
ignore_errors: true
|
||||||
|
become: true
|
||||||
|
register: iptables_tcp{{browbeat_results_port}}_exists
|
||||||
|
failed_when: iptables_tcp{{browbeat_results_port}}_exists == 127
|
||||||
|
no_log: true
|
||||||
|
tags:
|
||||||
|
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||||
|
# Need to check if port is already active
|
||||||
|
- skip_ansible_lint
|
||||||
|
|
||||||
- name: (shaker) Add firewall rule for TCP/{{shaker_port}} (iptables-services)
|
- name: (shaker) Add firewall rule for TCP/{{shaker_port}} (iptables-services)
|
||||||
lineinfile:
|
lineinfile:
|
||||||
@ -185,52 +266,27 @@
|
|||||||
regexp: '^INPUT -i lo -j ACCEPT'
|
regexp: '^INPUT -i lo -j ACCEPT'
|
||||||
insertbefore: '-A INPUT -i lo -j ACCEPT'
|
insertbefore: '-A INPUT -i lo -j ACCEPT'
|
||||||
backup: yes
|
backup: yes
|
||||||
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp5555_exists.stdout|int == 0
|
become: true
|
||||||
|
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp{{shaker_port}}_exists.stdout|int == 0
|
||||||
register: iptables_needs_restart
|
register: iptables_needs_restart
|
||||||
|
|
||||||
- name: (shaker) Restart iptables-services for TCP/{{shaker_port}} (iptables-services)
|
- name: (browbeat_results) Add firewall rule for TCP/{{browbeat_results_port}} (iptables-services)
|
||||||
shell: systemctl restart iptables.service
|
lineinfile:
|
||||||
|
dest: /etc/sysconfig/iptables
|
||||||
|
line: '-A INPUT -p tcp -m tcp --dport {{browbeat_results_port}} -j ACCEPT'
|
||||||
|
regexp: '^INPUT -i lo -j ACCEPT'
|
||||||
|
insertbefore: '-A INPUT -i lo -j ACCEPT'
|
||||||
|
backup: yes
|
||||||
|
become: true
|
||||||
|
when: browbeat_results_in_httpd and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp{{browbeat_results_port}}_exists.stdout|int == 0
|
||||||
|
register: iptables_needs_restart
|
||||||
|
|
||||||
|
- name: Restart iptables-services (iptables-services)
|
||||||
|
command: systemctl restart iptables.service
|
||||||
ignore_errors: true
|
ignore_errors: true
|
||||||
|
become: true
|
||||||
when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
|
when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
|
||||||
|
|
||||||
### end firewall ###
|
### end firewall ###
|
||||||
#
|
|
||||||
# Serve results out of httpd if results_in_httpd is set to true
|
|
||||||
#
|
|
||||||
|
|
||||||
- name: Setup browbeat.conf in /etc/httpd/conf.d
|
|
||||||
template:
|
|
||||||
src: 00-browbeat.conf.j2
|
|
||||||
dest: /etc/httpd/conf.d/00-browbeat.conf
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0644
|
|
||||||
become: true
|
|
||||||
when: results_in_httpd
|
|
||||||
notify:
|
|
||||||
- restart httpd
|
|
||||||
|
|
||||||
- name: Check iptables for browbeat port(9000)
|
|
||||||
shell: iptables -nvL | grep -q "dpt:9000"
|
|
||||||
become: true
|
|
||||||
changed_when: false
|
|
||||||
when: results_in_httpd
|
|
||||||
register: browbeat_results_port
|
|
||||||
ignore_errors: true
|
|
||||||
|
|
||||||
- name: Open iptables for browbeat port(9000)
|
|
||||||
shell: /usr/sbin/iptables -I INPUT 1 -p tcp --dport 9000 -j ACCEPT
|
|
||||||
become: true
|
|
||||||
when: results_in_httpd and browbeat_results_port.rc == 1
|
|
||||||
|
|
||||||
- name: Set seboolean(httpd_read_user_content)
|
|
||||||
seboolean: name=httpd_read_user_content state=yes persistent=yes
|
|
||||||
become: true
|
|
||||||
when: results_in_httpd
|
|
||||||
|
|
||||||
- name: Allow httpd to serve content in "{{ home_dir }}"
|
|
||||||
file: path="{{ home_dir }}" state=directory mode=0755
|
|
||||||
when: results_in_httpd
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Obtain and upload images for use with browbeat
|
# Obtain and upload images for use with browbeat
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
# Browbeat httpd config to serve results on undercloud
|
# Browbeat httpd config to serve results on undercloud
|
||||||
# Installed via browbeat installer
|
# Installed via browbeat installer
|
||||||
|
|
||||||
Listen 9000
|
Listen {{ browbeat_results_port }}
|
||||||
<VirtualHost *:9000>
|
<VirtualHost *:{{ browbeat_results_port }}>
|
||||||
ServerName browbeat-results
|
ServerName browbeat-results
|
||||||
DocumentRoot "{{ browbeat_path }}/results"
|
DocumentRoot "{{ browbeat_path }}/results"
|
||||||
<Directory "{{ browbeat_path }}/results">
|
<Directory "{{ browbeat_path }}/results">
|
||||||
|
Loading…
Reference in New Issue
Block a user