continued improvements to the base roles and iptables handling

11 years ago · 0c3f17fcb0
parent 3ff2020d2c
commit 0c3f17fcb0
8 changed files with 27 additions and 29 deletions
--- a/lamp_haproxy/db.yml
+++ b/lamp_haproxy/db.yml
@ -1,6 +1,10 @@
 ---
 # This playbook deploys MySQL and configures the database on the db node(s)

+# fetch monitoring facts for iptables rules
+- hosts: monitoring
+  tasks:
+
 - hosts: dbservers
  user: root
  roles:
--- a/lamp_haproxy/haproxy.yml
+++ b/lamp_haproxy/haproxy.yml
@ -1,6 +1,10 @@
 ---
 # Playbook for HAProxy operations

+# fetch monitoring facts for iptables rules
+- hosts: monitoring
+  tasks:
+
 - hosts: lbservers
  user: root
  roles:
--- a/lamp_haproxy/roles/base-apache/handlers/main.yml
+++ b/lamp_haproxy/roles/base-apache/handlers/main.yml
@ -1,5 +0,0 @@
---
-# Handler for the web tier
-
- name: restart iptables
-  service: name=iptables state=restarted
--- a/lamp_haproxy/roles/base-apache/tasks/main.yml
+++ b/lamp_haproxy/roles/base-apache/tasks/main.yml
@ -8,13 +8,5 @@
   - libsemanage-python
   - libselinux-python

- name: insert iptables template for httpd
-  template: src=iptables.j2 dest=/etc/sysconfig/iptables
-  register: last_run
-
- name: Apply iptable rule
-  service: name=iptables state=restarted
-  only_if: ${last_run.changed}
-
 - name: http service state
  service: name=httpd state=started enabled=yes
--- a/lamp_haproxy/roles/common/tasks/main.yml
+++ b/lamp_haproxy/roles/common/tasks/main.yml
@ -29,3 +29,7 @@

 - name: Install EPEL RPM
  yum: name=/tmp/epel-release-6-8.noarch.rpm state=installed
+
+- name: insert iptables template
+  template: src=iptables.j2 dest=/etc/sysconfig/iptables
+  notify: restart iptables
--- a/lamp_haproxy/roles/base-apache/templates/iptables.j2
+++ b/lamp_haproxy/roles/base-apache/templates/iptables.j2
@ -1,19 +1,26 @@
 # {{ ansible_managed }}
-
+# Manual customization of this file is not recommended.
 *filter
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
-A INPUT -p tcp  --dport 80 -j  ACCEPT
+
+{% if inventory_hostname in groups['webservers'] %}
+-A INPUT -p tcp  --dport 80 -j ACCEPT
+{% endif %}
+
+{% if inventory_hostname in groups['dbservers'] %}
+-A INPUT -p tcp  --dport 3306 -j  ACCEPT
+{% endif %}
+
+{% if inventory_hostname in groups['lbservers'] %}
+-A INPUT -p tcp  --dport {{ listenport }} -j  ACCEPT
+{% endif %}
+
 {% for host in groups['monitoring'] %}
 -A INPUT -p tcp -s {{ hostvars[host].ansible_default_ipv4.address }} --dport 5666 -j ACCEPT
 {% endfor %}
-A INPUT -p tcp  --dport 111 -j  ACCEPT
-A INPUT -p udp  --dport 111 -j  ACCEPT
-A INPUT -p tcp  --dport 892 -j  ACCEPT
-A INPUT -p udp  --dport 892 -j  ACCEPT
-A INPUT -p tcp  --dport 850 -j  ACCEPT
-A INPUT -p udp  --dport 850 -j  ACCEPT
+
 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -i lo -j ACCEPT
--- a/lamp_haproxy/roles/db/tasks/main.yml
+++ b/lamp_haproxy/roles/db/tasks/main.yml
@ -20,10 +20,6 @@
 - name: Start Mysql Service
  service: name=mysqld state=started enabled=true

- name: insert iptables rule
-  lineinfile: dest=/etc/sysconfig/iptables state=present regexp="$mysql_port" insertafter="^:OUTPUT " line="-A INPUT -p tcp  --dport $mysql_port -j  ACCEPT"
-  notify: restart iptables
-
 - name: Create Application Database
  mysql_db: name=$dbname state=present

--- a/lamp_haproxy/roles/haproxy/tasks/main.yml
+++ b/lamp_haproxy/roles/haproxy/tasks/main.yml
@ -7,10 +7,6 @@
  - haproxy
  - socat

- name: Open firewall port for haproxy.
-  lineinfile: dest=/etc/sysconfig/iptables state=present regexp="$listenport" insertafter="^:OUTPUT " line="-A INPUT -p tcp  --dport $listenport -j  ACCEPT"
-  notify: restart iptables
-
 - name: Configure the haproxy cnf file with hosts
  template: src=haproxy.cfg.j2 dest=/etc/haproxy/haproxy.cfg
  notify: restart haproxy