From f52ddcb67f75aeb6bd72fecfd4a133ae1eb56666 Mon Sep 17 00:00:00 2001
From: Paul McGoldrick <paul.mcgoldrick@att.com>
Date: Thu, 28 Sep 2017 10:03:38 -0700
Subject: initial seed code commit VVP-3

Change-Id: I6c9fede9b75ebaf1bcba2ad14f09f021fea63d21
Signed-off-by: Paul McGoldrick <paul.mcgoldrick@att.com>
---
 .../roles/ansible-vvp-bootstrap/tasks/dnsmasq.yml  | 103 +++++++++++++++++++++
 1 file changed, 103 insertions(+)
 create mode 100755 ansible/roles/ansible-vvp-bootstrap/tasks/dnsmasq.yml

(limited to 'ansible/roles/ansible-vvp-bootstrap/tasks/dnsmasq.yml')

diff --git a/ansible/roles/ansible-vvp-bootstrap/tasks/dnsmasq.yml b/ansible/roles/ansible-vvp-bootstrap/tasks/dnsmasq.yml
new file mode 100755
index 0000000..48dad1c
--- /dev/null
+++ b/ansible/roles/ansible-vvp-bootstrap/tasks/dnsmasq.yml
@@ -0,0 +1,103 @@
+# -*- encoding: utf-8 -*- 
+# ============LICENSE_START======================================================= 
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+- name: Install nf_conntrack_tftp
+  modprobe:
+    name: nf_conntrack_tftp
+    state: present
+
+- name: Copy our pxe client
+  copy: src=iceundionly.kpxe dest="{{files_dir}}/iceundionly.kpxe"
+  when: pxe_chainload
+
+- name: Create DNSMASQ leases file
+  file: path="{{files_dir}}/leases" mode=0644 state=touch
+
+- name: DROP DNS, tftp requests from public
+  shell: iptables -I INPUT 1 -p udp --dport {{item}} -i {{ops_public_interface}} -j DROP
+  with_items:
+  - 53
+  - 69
+
+- name: DROP DNS, tftp requests to public
+  shell: iptables -I OUTPUT 1 -p udp --sport {{item}} -o {{ops_public_interface}} -j DROP
+  with_items:
+  - 53
+  - 69
+
+- name: Allow Inbound UDP DHCP Requests
+  shell: iptables -A INPUT -p udp --dport {{item}} -j ACCEPT
+  with_items:
+  - 53
+  - 67:69
+
+- name: Allow Outbound UDP DNS, DHCP
+  shell: iptables -A OUTPUT -p udp --sport {{item}} -j ACCEPT
+  with_items:
+  - 53
+  - 67:69
+
+- name: Allow TFTP file transfers on arbitrary ports.
+  shell: 'iptables -A OUTPUT -p udp -o {{ ops_management_interface }} --sport 1023: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT'
+
+- name: Allow TFTP file transfers on arbitrary ports.
+  shell: 'iptables -A INPUT -p udp -i {{ops_management_interface}} --dport 1023: -m state --state ESTABLISHED,RELATED -j ACCEPT'
+
+- name: Render DNSMASQ configuration
+  template:
+    src: dnsmasq.conf.j2
+    dest: "{{files_dir}}/dnsmasq.conf"
+
+- name: Is dnsmasq already running?
+  shell: docker ps | grep dnsmasq | awk '{ print $1 }'
+  register: dnsmasq_id
+
+- name: Kill dnsmasq!
+  shell: docker kill "{{dnsmasq_id.stdout}}"
+  when: dnsmasq_id.stdout != ""
+
+- name: Start DNSMASQ
+  command: "docker run -d
+    --net=host
+    --cap-add=NET_ADMIN
+    -v {{files_dir}}/leases:/var/lib/misc/dnsmasq.leases:Z
+    -v {{files_dir}}/dnsmasq.conf:/etc/dnsmasq.conf:Z
+{% if pxe_chainload %}
+    -v {{files_dir}}/iceundionly.kpxe:/var/lib/tftpboot/iceundionly.kpxe:Z
+{% endif %}
+    quay.io/coreos/dnsmasq -d -q"
-- 
cgit 1.2.3-korg