1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
|
# -*- encoding: utf-8 -*-
# ============LICENSE_START=======================================================
# org.onap.vvp/engagementmgr
# ===================================================================
# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
# ===================================================================
#
# Unless otherwise specified, all software contained herein is licensed
# under the Apache License, Version 2.0 (the “License”);
# you may not use this software except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
#
#
# Unless otherwise specified, all documentation contained herein is licensed
# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
# you may not use this documentation except in compliance with the License.
# You may obtain a copy of the License at
#
# https://creativecommons.org/licenses/by/4.0/
#
# Unless required by applicable law or agreed to in writing, documentation
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# ============LICENSE_END============================================
#
# ECOMP is a trademark and service mark of AT&T Intellectual Property.
- name: Install nf_conntrack_tftp
modprobe:
name: nf_conntrack_tftp
state: present
- name: Copy our pxe client
copy: src=iceundionly.kpxe dest="{{files_dir}}/iceundionly.kpxe"
when: pxe_chainload
- name: Create DNSMASQ leases file
file: path="{{files_dir}}/leases" mode=0644 state=touch
- name: DROP DNS, tftp requests from public
shell: iptables -I INPUT 1 -p udp --dport {{item}} -i {{ops_public_interface}} -j DROP
with_items:
- 53
- 69
- name: DROP DNS, tftp requests to public
shell: iptables -I OUTPUT 1 -p udp --sport {{item}} -o {{ops_public_interface}} -j DROP
with_items:
- 53
- 69
- name: Allow Inbound UDP DHCP Requests
shell: iptables -A INPUT -p udp --dport {{item}} -j ACCEPT
with_items:
- 53
- 67:69
- name: Allow Outbound UDP DNS, DHCP
shell: iptables -A OUTPUT -p udp --sport {{item}} -j ACCEPT
with_items:
- 53
- 67:69
- name: Allow TFTP file transfers on arbitrary ports.
shell: 'iptables -A OUTPUT -p udp -o {{ ops_management_interface }} --sport 1023: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT'
- name: Allow TFTP file transfers on arbitrary ports.
shell: 'iptables -A INPUT -p udp -i {{ops_management_interface}} --dport 1023: -m state --state ESTABLISHED,RELATED -j ACCEPT'
- name: Render DNSMASQ configuration
template:
src: dnsmasq.conf.j2
dest: "{{files_dir}}/dnsmasq.conf"
- name: Is dnsmasq already running?
shell: docker ps | grep dnsmasq | awk '{ print $1 }'
register: dnsmasq_id
- name: Kill dnsmasq!
shell: docker kill "{{dnsmasq_id.stdout}}"
when: dnsmasq_id.stdout != ""
- name: Start DNSMASQ
command: "docker run -d
--net=host
--cap-add=NET_ADMIN
-v {{files_dir}}/leases:/var/lib/misc/dnsmasq.leases:Z
-v {{files_dir}}/dnsmasq.conf:/etc/dnsmasq.conf:Z
{% if pxe_chainload %}
-v {{files_dir}}/iceundionly.kpxe:/var/lib/tftpboot/iceundionly.kpxe:Z
{% endif %}
quay.io/coreos/dnsmasq -d -q"
|
