aboutsummaryrefslogtreecommitdiffstats
path: root/ansible/roles/ansible-vvp-bootstrap/tasks/main.yml
diff options
context:
space:
mode:
Diffstat (limited to 'ansible/roles/ansible-vvp-bootstrap/tasks/main.yml')
-rwxr-xr-xansible/roles/ansible-vvp-bootstrap/tasks/main.yml183
1 files changed, 183 insertions, 0 deletions
diff --git a/ansible/roles/ansible-vvp-bootstrap/tasks/main.yml b/ansible/roles/ansible-vvp-bootstrap/tasks/main.yml
new file mode 100755
index 0000000..48b545e
--- /dev/null
+++ b/ansible/roles/ansible-vvp-bootstrap/tasks/main.yml
@@ -0,0 +1,183 @@
+# -*- encoding: utf-8 -*-
+# ============LICENSE_START=======================================================
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+---
+- name: install packages
+ yum:
+ name: "{{ item }}"
+ state: present
+ with_items:
+ - docker
+ tags:
+ - bootstrap
+
+- name: Is our management IP set?
+ shell: "ip addr show {{ops_management_interface}} | grep {{ops_management_ip}}"
+ register: mgmt_ip
+ tags:
+ - bootstrap
+ ignore_errors: True
+
+- name: Set interface address
+ command: ip addr add {{ops_management_ip}}/24 dev {{ops_management_interface}}
+ when: mgmt_ip.stdout == ""
+ tags:
+ - bootstrap
+
+- name: Temporarily allow all INPUT
+ shell: iptables -P INPUT ACCEPT
+ tags:
+ - always
+
+- name: Temporarily allow all OUTPUT
+ shell: iptables -P OUTPUT ACCEPT
+ tags:
+ - always
+
+- name: Flush all IPTables Rules (non nat)
+ shell: iptables -F
+ tags:
+ - always
+
+- name: Allow SSH for development environments
+ shell: iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
+ when: ice_environment == "development"
+ tags:
+ - always
+
+- name: Allow SSH out for development environments
+ shell: iptables -A OUTPUT -p tcp -o eth0 --sport 22 -j ACCEPT
+ when: ice_environment == "development"
+ tags:
+ - always
+
+- name: Allow SSH out for development environments
+ shell: iptables -A OUTPUT -p tcp -o {{ops_management_interface}} --sport 22 -j ACCEPT
+ when: ice_environment != "development"
+ tags:
+ - always
+
+- name: Allow SSH for non-development environments
+ shell: iptables -A INPUT -p tcp -i {{ops_management_interface}} --dport 22 -j ACCEPT
+ when: ice_environment != "development"
+ tags:
+ - always
+
+- name: Allow Outbound UDP DNS
+ shell: iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
+
+- name: Allow Inbound UDP DNS replies
+ shell: iptables -A INPUT -p udp --sport 53 -j ACCEPT
+
+- name: Allow Outbound Web Requests
+ shell: iptables -A OUTPUT -p tcp --dport {{item}} -j ACCEPT
+ with_items:
+ - 443
+ - 80
+
+- name: Allow Inbound Web Replies
+ shell: iptables -A INPUT -p tcp --sport {{item}} -m state --state ESTABLISHED,RELATED -j ACCEPT
+ with_items:
+ - 443
+ - 80
+- name: Drop INPUT
+ shell: iptables -P INPUT DROP
+ tags:
+ - always
+
+- name: Drop OUTPUT
+ shell: iptables -P OUTPUT DROP
+ tags:
+ - always
+
+- name: Drop FORWARD
+ shell: iptables -P FORWARD DROP
+ tags:
+ - always
+
+- name: set additional interfaces ip
+ command: ip addr add {{item.value}} dev {{item.key}}
+ when: hostvars[inventory_hostname]["ansible_%s" % item.key] and (hostvars[inventory_hostname]["ansible_%s" % item.key]['ipv4'] is not defined or not item.value.split('/')[0] in hostvars[inventory_hostname]["ansible_%s" % item.key]['ipv4']['address'])
+ with_dict: "{{ additional_interfaces }}"
+
+- name: Bring additional interfaces up
+ command: ifup {{item.key}}
+ when: hostvars[inventory_hostname]["ansible_%s" % item.key] and (hostvars[inventory_hostname]["ansible_%s" % item.key]['ipv4'] is not defined or not item.value.split('/')[0] in hostvars[inventory_hostname]["ansible_%s" % item.key]['ipv4']['address'])
+ with_dict: "{{ additional_interfaces }}"
+
+- name: Add self to resolv.conf
+ lineinfile:
+ dest: /etc/resolv.conf
+ line: "nameserver {{ops_management_ip}}"
+ insertbefore: BOF
+
+- name: start docker
+ command: systemctl restart docker
+ tags:
+ - always
+
+- name: Disable Forwarding
+ command: "echo 0 > /proc/sys/net/ipv4/ip_forward"
+ tags:
+ - bootstrap
+
+#########################
+# FILESYSTEM
+#
+- name: Create files DIR
+ file: state=directory path="{{files_dir}}" mode=0755
+ tags:
+ - bootstrap
+ - tls
+
+- include: matchbox.yml
+ tags:
+ - bootstrap
+ - matchbox
+
+
+- include: tls.yml
+ tags:
+ - bootstrap
+ - tls
+
+- include: dnsmasq.yml
+ tags:
+ - bootstrap
+ - dnsmasq
+