# -*- encoding: utf-8 -*- # ============LICENSE_START======================================================= # org.onap.vvp/engagementmgr # =================================================================== # Copyright © 2017 AT&T Intellectual Property. All rights reserved. # =================================================================== # # Unless otherwise specified, all software contained herein is licensed # under the Apache License, Version 2.0 (the “License”); # you may not use this software except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # # # Unless otherwise specified, all documentation contained herein is licensed # under the Creative Commons License, Attribution 4.0 Intl. (the “License”); # you may not use this documentation except in compliance with the License. # You may obtain a copy of the License at # # https://creativecommons.org/licenses/by/4.0/ # # Unless required by applicable law or agreed to in writing, documentation # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # ============LICENSE_END============================================ # # ECOMP is a trademark and service mark of AT&T Intellectual Property. --- - name: install packages yum: name: "{{ item }}" state: present with_items: - docker tags: - bootstrap - name: Is our management IP set? shell: "ip addr show {{ops_management_interface}} | grep {{ops_management_ip}}" register: mgmt_ip tags: - bootstrap ignore_errors: True - name: Set interface address command: ip addr add {{ops_management_ip}}/24 dev {{ops_management_interface}} when: mgmt_ip.stdout == "" tags: - bootstrap - name: Temporarily allow all INPUT shell: iptables -P INPUT ACCEPT tags: - always - name: Temporarily allow all OUTPUT shell: iptables -P OUTPUT ACCEPT tags: - always - name: Flush all IPTables Rules (non nat) shell: iptables -F tags: - always - name: Allow SSH for development environments shell: iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT when: ice_environment == "development" tags: - always - name: Allow SSH out for development environments shell: iptables -A OUTPUT -p tcp -o eth0 --sport 22 -j ACCEPT when: ice_environment == "development" tags: - always - name: Allow SSH out for development environments shell: iptables -A OUTPUT -p tcp -o {{ops_management_interface}} --sport 22 -j ACCEPT when: ice_environment != "development" tags: - always - name: Allow SSH for non-development environments shell: iptables -A INPUT -p tcp -i {{ops_management_interface}} --dport 22 -j ACCEPT when: ice_environment != "development" tags: - always - name: Allow Outbound UDP DNS shell: iptables -A OUTPUT -p udp --dport 53 -j ACCEPT - name: Allow Inbound UDP DNS replies shell: iptables -A INPUT -p udp --sport 53 -j ACCEPT - name: Allow Outbound Web Requests shell: iptables -A OUTPUT -p tcp --dport {{item}} -j ACCEPT with_items: - 443 - 80 - name: Allow Inbound Web Replies shell: iptables -A INPUT -p tcp --sport {{item}} -m state --state ESTABLISHED,RELATED -j ACCEPT with_items: - 443 - 80 # dnsmask prereq - Allow ping between all hosts - name: Allow Ping from Outside to Inside shell: | iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT - name: Allow Ping from Inside to Outside shell: | iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT - name: Drop INPUT shell: iptables -P INPUT DROP tags: - always - name: Drop OUTPUT shell: iptables -P OUTPUT DROP tags: - always - name: Drop FORWARD shell: iptables -P FORWARD DROP tags: - always - name: set additional interfaces ip command: ip addr add {{item.value}} dev {{item.key}} when: hostvars[inventory_hostname]["ansible_%s" % item.key] and (hostvars[inventory_hostname]["ansible_%s" % item.key]['ipv4'] is not defined or not item.value.split('/')[0] in hostvars[inventory_hostname]["ansible_%s" % item.key]['ipv4']['address']) with_dict: "{{ additional_interfaces }}" - name: Bring additional interfaces up command: ifup {{item.key}} when: hostvars[inventory_hostname]["ansible_%s" % item.key] and (hostvars[inventory_hostname]["ansible_%s" % item.key]['ipv4'] is not defined or not item.value.split('/')[0] in hostvars[inventory_hostname]["ansible_%s" % item.key]['ipv4']['address']) with_dict: "{{ additional_interfaces }}" - name: Add self to resolv.conf lineinfile: dest: /etc/resolv.conf line: "nameserver {{ops_management_ip}}" insertbefore: BOF - name: start docker command: systemctl restart docker tags: - always - name: Disable Forwarding command: "echo 0 > /proc/sys/net/ipv4/ip_forward" tags: - bootstrap ######################### # FILESYSTEM # - name: Create files DIR file: state=directory path="{{files_dir}}" mode=0755 tags: - bootstrap - tls - include: matchbox.yml tags: - bootstrap - matchbox - include: tls.yml tags: - bootstrap - tls - include: dnsmasq.yml tags: - bootstrap - dnsmasq