diff options
| author |   Paul McGoldrick <paul.mcgoldrick@att.com> | 2017-09-28 10:03:38 -0700 |
|---|---|---|
| committer | Paul McGoldrick <paul.mcgoldrick@att.com> | 2017-09-28 10:14:09 -0700 |
| commit | f52ddcb67f75aeb6bd72fecfd4a133ae1eb56666 (patch) | |
| tree | 898aca33908fa491bfe541ba8f3b40124562d147 /ansible/roles/ansible-vvp-bootstrap/tasks/dnsmasq.yml | |
| parent | 066d65126779abf924dd9175da56d2d43991dbff (diff) | |
initial seed code commit VVP-3
Change-Id: I6c9fede9b75ebaf1bcba2ad14f09f021fea63d21
Signed-off-by: Paul McGoldrick <paul.mcgoldrick@att.com>
Diffstat (limited to 'ansible/roles/ansible-vvp-bootstrap/tasks/dnsmasq.yml')
| -rwxr-xr-x | ansible/roles/ansible-vvp-bootstrap/tasks/dnsmasq.yml | 103 |
1 files changed, 103 insertions, 0 deletions
diff --git a/ansible/roles/ansible-vvp-bootstrap/tasks/dnsmasq.yml b/ansible/roles/ansible-vvp-bootstrap/tasks/dnsmasq.yml new file mode 100755 index 0000000..48dad1c --- /dev/null +++ b/ansible/roles/ansible-vvp-bootstrap/tasks/dnsmasq.yml @@ -0,0 +1,103 @@ +# -*- encoding: utf-8 -*- +# ============LICENSE_START======================================================= +# org.onap.vvp/engagementmgr +# =================================================================== +# Copyright © 2017 AT&T Intellectual Property. All rights reserved. +# =================================================================== +# +# Unless otherwise specified, all software contained herein is licensed +# under the Apache License, Version 2.0 (the “License”); +# you may not use this software except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# +# +# Unless otherwise specified, all documentation contained herein is licensed +# under the Creative Commons License, Attribution 4.0 Intl. (the “License”); +# you may not use this documentation except in compliance with the License. +# You may obtain a copy of the License at +# +# https://creativecommons.org/licenses/by/4.0/ +# +# Unless required by applicable law or agreed to in writing, documentation +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# ============LICENSE_END============================================ +# +# ECOMP is a trademark and service mark of AT&T Intellectual Property. +- name: Install nf_conntrack_tftp + modprobe: + name: nf_conntrack_tftp + state: present + +- name: Copy our pxe client + copy: src=iceundionly.kpxe dest="{{files_dir}}/iceundionly.kpxe" + when: pxe_chainload + +- name: Create DNSMASQ leases file + file: path="{{files_dir}}/leases" mode=0644 state=touch + +- name: DROP DNS, tftp requests from public + shell: iptables -I INPUT 1 -p udp --dport {{item}} -i {{ops_public_interface}} -j DROP + with_items: + - 53 + - 69 + +- name: DROP DNS, tftp requests to public + shell: iptables -I OUTPUT 1 -p udp --sport {{item}} -o {{ops_public_interface}} -j DROP + with_items: + - 53 + - 69 + +- name: Allow Inbound UDP DHCP Requests + shell: iptables -A INPUT -p udp --dport {{item}} -j ACCEPT + with_items: + - 53 + - 67:69 + +- name: Allow Outbound UDP DNS, DHCP + shell: iptables -A OUTPUT -p udp --sport {{item}} -j ACCEPT + with_items: + - 53 + - 67:69 + +- name: Allow TFTP file transfers on arbitrary ports. + shell: 'iptables -A OUTPUT -p udp -o {{ ops_management_interface }} --sport 1023: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT' + +- name: Allow TFTP file transfers on arbitrary ports. + shell: 'iptables -A INPUT -p udp -i {{ops_management_interface}} --dport 1023: -m state --state ESTABLISHED,RELATED -j ACCEPT' + +- name: Render DNSMASQ configuration + template: + src: dnsmasq.conf.j2 + dest: "{{files_dir}}/dnsmasq.conf" + +- name: Is dnsmasq already running? + shell: docker ps | grep dnsmasq | awk '{ print $1 }' + register: dnsmasq_id + +- name: Kill dnsmasq! + shell: docker kill "{{dnsmasq_id.stdout}}" + when: dnsmasq_id.stdout != "" + +- name: Start DNSMASQ + command: "docker run -d + --net=host + --cap-add=NET_ADMIN + -v {{files_dir}}/leases:/var/lib/misc/dnsmasq.leases:Z + -v {{files_dir}}/dnsmasq.conf:/etc/dnsmasq.conf:Z +{% if pxe_chainload %} + -v {{files_dir}}/iceundionly.kpxe:/var/lib/tftpboot/iceundionly.kpxe:Z +{% endif %} + quay.io/coreos/dnsmasq -d -q" |