116 lines
3.5 KiB
YAML
116 lines
3.5 KiB
YAML
---
|
|
#
|
|
# Connmon Install
|
|
#
|
|
|
|
- name: Install pip
|
|
easy_install: name=pip
|
|
become: true
|
|
|
|
- name: Install connmon
|
|
pip: name=connmon
|
|
become: true
|
|
|
|
#
|
|
# Connmon Setup
|
|
#
|
|
|
|
- name: Configure Connmon Host IP Address
|
|
template:
|
|
src: connmon.cfg.j2
|
|
dest: /etc/connmon.cfg
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
become: true
|
|
|
|
- name: Install Screen for connmon
|
|
yum: name=screen state=present
|
|
become: true
|
|
when: undercloud
|
|
|
|
# To remove the screen session: screen -X -S connmond kill
|
|
- name: Run connmond in screen session on undercloud
|
|
command: screen -d -S connmond -m connmond
|
|
when: undercloud
|
|
changed_when: false
|
|
|
|
### begin firewall ###
|
|
# we need TCP/5555 open
|
|
# determine firewall status and take action
|
|
# 1) use firewall-cmd if firewalld is utilized
|
|
# 2) insert iptables rule if iptables is used
|
|
|
|
# Firewalld
|
|
- name: (connmon) Determine if firewalld is in use
|
|
shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
|
|
ignore_errors: true
|
|
register: firewalld_in_use
|
|
no_log: true
|
|
tags:
|
|
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
|
# Need to check if firewall is in use
|
|
- skip_ansible_lint
|
|
|
|
- name: (connmon) Determine if firewalld is active
|
|
shell: systemctl is-active firewalld.service | grep -vq inactive
|
|
ignore_errors: true
|
|
register: firewalld_is_active
|
|
no_log: true
|
|
tags:
|
|
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
|
# Need to check if firewall is active
|
|
- skip_ansible_lint
|
|
|
|
- name: (connmon) Determine if TCP/{{connmon_port}} is already active
|
|
shell: firewall-cmd --list-ports | egrep -q "^{{connmon_port}}/tcp"
|
|
ignore_errors: true
|
|
register: firewalld_connmon_port_exists
|
|
no_log: true
|
|
tags:
|
|
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
|
# Need to check if port is already active
|
|
- skip_ansible_lint
|
|
|
|
# add firewall rule via firewall-cmd
|
|
- name: (connmon) Add firewall rule for TCP/{{connmon_port}} (firewalld)
|
|
command: "{{ item }}"
|
|
with_items:
|
|
- firewall-cmd --zone=public --add-port={{connmon_port}}/tcp --permanent
|
|
- firewall-cmd --reload
|
|
ignore_errors: true
|
|
become: true
|
|
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_connmon_port_exists.rc != 0
|
|
|
|
# iptables-services
|
|
- name: (connmon) check firewall rules for TCP/{{connmon_port}} (iptables-services)
|
|
shell: grep "dport {{connmon_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
|
|
ignore_errors: true
|
|
become: true
|
|
register: iptables_connmon_port_exists
|
|
failed_when: iptables_connmon_port_exists == 127
|
|
no_log: true
|
|
tags:
|
|
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
|
# Need to check if port is already active
|
|
- skip_ansible_lint
|
|
|
|
- name: (connmon) Add firewall rule for TCP/{{connmon_port}} (iptables-services)
|
|
lineinfile:
|
|
dest: /etc/sysconfig/iptables
|
|
line: '-A INPUT -p tcp -m tcp --dport {{connmon_port}} -j ACCEPT'
|
|
regexp: '^INPUT -i lo -j ACCEPT'
|
|
insertbefore: '-A INPUT -i lo -j ACCEPT'
|
|
backup: yes
|
|
become: true
|
|
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_connmon_port_exists.stdout|int == 0
|
|
register: iptables_needs_restart
|
|
|
|
- name: (connmon) Restart iptables-services for TCP/{{connmon_port}} (iptables-services)
|
|
command: systemctl restart iptables.service
|
|
ignore_errors: true
|
|
become: true
|
|
when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
|
|
|
|
### end firewall ###
|