From f52ddcb67f75aeb6bd72fecfd4a133ae1eb56666 Mon Sep 17 00:00:00 2001 From: Paul McGoldrick Date: Thu, 28 Sep 2017 10:03:38 -0700 Subject: initial seed code commit VVP-3 Change-Id: I6c9fede9b75ebaf1bcba2ad14f09f021fea63d21 Signed-off-by: Paul McGoldrick --- ansible/roles/ansible-vvp-bootstrap/tasks/main.yml | 183 +++++++++++++++++++++ 1 file changed, 183 insertions(+) create mode 100755 ansible/roles/ansible-vvp-bootstrap/tasks/main.yml (limited to 'ansible/roles/ansible-vvp-bootstrap/tasks/main.yml') diff --git a/ansible/roles/ansible-vvp-bootstrap/tasks/main.yml b/ansible/roles/ansible-vvp-bootstrap/tasks/main.yml new file mode 100755 index 0000000..48b545e --- /dev/null +++ b/ansible/roles/ansible-vvp-bootstrap/tasks/main.yml @@ -0,0 +1,183 @@ +# -*- encoding: utf-8 -*- +# ============LICENSE_START======================================================= +# org.onap.vvp/engagementmgr +# =================================================================== +# Copyright © 2017 AT&T Intellectual Property. All rights reserved. +# =================================================================== +# +# Unless otherwise specified, all software contained herein is licensed +# under the Apache License, Version 2.0 (the “License”); +# you may not use this software except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# +# +# Unless otherwise specified, all documentation contained herein is licensed +# under the Creative Commons License, Attribution 4.0 Intl. (the “License”); +# you may not use this documentation except in compliance with the License. +# You may obtain a copy of the License at +# +# https://creativecommons.org/licenses/by/4.0/ +# +# Unless required by applicable law or agreed to in writing, documentation +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# ============LICENSE_END============================================ +# +# ECOMP is a trademark and service mark of AT&T Intellectual Property. +--- +- name: install packages + yum: + name: "{{ item }}" + state: present + with_items: + - docker + tags: + - bootstrap + +- name: Is our management IP set? + shell: "ip addr show {{ops_management_interface}} | grep {{ops_management_ip}}" + register: mgmt_ip + tags: + - bootstrap + ignore_errors: True + +- name: Set interface address + command: ip addr add {{ops_management_ip}}/24 dev {{ops_management_interface}} + when: mgmt_ip.stdout == "" + tags: + - bootstrap + +- name: Temporarily allow all INPUT + shell: iptables -P INPUT ACCEPT + tags: + - always + +- name: Temporarily allow all OUTPUT + shell: iptables -P OUTPUT ACCEPT + tags: + - always + +- name: Flush all IPTables Rules (non nat) + shell: iptables -F + tags: + - always + +- name: Allow SSH for development environments + shell: iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT + when: ice_environment == "development" + tags: + - always + +- name: Allow SSH out for development environments + shell: iptables -A OUTPUT -p tcp -o eth0 --sport 22 -j ACCEPT + when: ice_environment == "development" + tags: + - always + +- name: Allow SSH out for development environments + shell: iptables -A OUTPUT -p tcp -o {{ops_management_interface}} --sport 22 -j ACCEPT + when: ice_environment != "development" + tags: + - always + +- name: Allow SSH for non-development environments + shell: iptables -A INPUT -p tcp -i {{ops_management_interface}} --dport 22 -j ACCEPT + when: ice_environment != "development" + tags: + - always + +- name: Allow Outbound UDP DNS + shell: iptables -A OUTPUT -p udp --dport 53 -j ACCEPT + +- name: Allow Inbound UDP DNS replies + shell: iptables -A INPUT -p udp --sport 53 -j ACCEPT + +- name: Allow Outbound Web Requests + shell: iptables -A OUTPUT -p tcp --dport {{item}} -j ACCEPT + with_items: + - 443 + - 80 + +- name: Allow Inbound Web Replies + shell: iptables -A INPUT -p tcp --sport {{item}} -m state --state ESTABLISHED,RELATED -j ACCEPT + with_items: + - 443 + - 80 +- name: Drop INPUT + shell: iptables -P INPUT DROP + tags: + - always + +- name: Drop OUTPUT + shell: iptables -P OUTPUT DROP + tags: + - always + +- name: Drop FORWARD + shell: iptables -P FORWARD DROP + tags: + - always + +- name: set additional interfaces ip + command: ip addr add {{item.value}} dev {{item.key}} + when: hostvars[inventory_hostname]["ansible_%s" % item.key] and (hostvars[inventory_hostname]["ansible_%s" % item.key]['ipv4'] is not defined or not item.value.split('/')[0] in hostvars[inventory_hostname]["ansible_%s" % item.key]['ipv4']['address']) + with_dict: "{{ additional_interfaces }}" + +- name: Bring additional interfaces up + command: ifup {{item.key}} + when: hostvars[inventory_hostname]["ansible_%s" % item.key] and (hostvars[inventory_hostname]["ansible_%s" % item.key]['ipv4'] is not defined or not item.value.split('/')[0] in hostvars[inventory_hostname]["ansible_%s" % item.key]['ipv4']['address']) + with_dict: "{{ additional_interfaces }}" + +- name: Add self to resolv.conf + lineinfile: + dest: /etc/resolv.conf + line: "nameserver {{ops_management_ip}}" + insertbefore: BOF + +- name: start docker + command: systemctl restart docker + tags: + - always + +- name: Disable Forwarding + command: "echo 0 > /proc/sys/net/ipv4/ip_forward" + tags: + - bootstrap + +######################### +# FILESYSTEM +# +- name: Create files DIR + file: state=directory path="{{files_dir}}" mode=0755 + tags: + - bootstrap + - tls + +- include: matchbox.yml + tags: + - bootstrap + - matchbox + + +- include: tls.yml + tags: + - bootstrap + - tls + +- include: dnsmasq.yml + tags: + - bootstrap + - dnsmasq + -- cgit 1.2.3-korg