|
|
@@ -3,64 +3,84 @@
|
|
|
- name: Fixes required on utility VM.
|
|
|
hosts: utility.lab.example.com
|
|
|
become: yes
|
|
|
- gather_facts: no
|
|
|
+ gather_subset: min
|
|
|
tasks:
|
|
|
- # Fixing the DNS first.
|
|
|
- - name: add ocp4.example.com hosts to /etc/hosts
|
|
|
- become: yes
|
|
|
- ansible.builtin.lineinfile:
|
|
|
- path: /etc/hosts
|
|
|
- mode: 0644
|
|
|
- regex: "{{ item.hostname }}"
|
|
|
- line: "{{ item.addr }} {{ item.hostname }}"
|
|
|
- state: present
|
|
|
- loop:
|
|
|
- - addr: 192.168.50.40
|
|
|
- hostname: idm.ocp4.example.com
|
|
|
- - addr: 192.168.50.50
|
|
|
- hostname: registry.ocp4.example.com
|
|
|
- - addr: 192.168.50.10
|
|
|
- hostname: master01.ocp4.example.com
|
|
|
- - addr: 192.168.50.11
|
|
|
- hostname: master02.ocp4.example.com
|
|
|
- - addr: 192.168.50.12
|
|
|
- hostname: master03.ocp4.example.com
|
|
|
- - addr: 192.168.50.13
|
|
|
- hostname: worker01.ocp4.example.com
|
|
|
- - addr: 192.168.50.14
|
|
|
- hostname: worker02.ocp4.example.com
|
|
|
+# XXX DONE XXX # Fixing the DNS first.
|
|
|
+# XXX DONE XXX - name: add ocp4.example.com hosts to /etc/hosts
|
|
|
+# XXX DONE XXX become: yes
|
|
|
+# XXX DONE XXX ansible.builtin.lineinfile:
|
|
|
+# XXX DONE XXX path: /etc/hosts
|
|
|
+# XXX DONE XXX mode: 0644
|
|
|
+# XXX DONE XXX regex: "{{ item.hostname }}"
|
|
|
+# XXX DONE XXX line: "{{ item.addr }} {{ item.hostname }}"
|
|
|
+# XXX DONE XXX state: present
|
|
|
+# XXX DONE XXX loop:
|
|
|
+# XXX DONE XXX - addr: 192.168.50.40
|
|
|
+# XXX DONE XXX hostname: idm.ocp4.example.com
|
|
|
+# XXX DONE XXX - addr: 192.168.50.50
|
|
|
+# XXX DONE XXX hostname: registry.ocp4.example.com
|
|
|
+# XXX DONE XXX - addr: 192.168.50.10
|
|
|
+# XXX DONE XXX hostname: master01.ocp4.example.com
|
|
|
+# XXX DONE XXX - addr: 192.168.50.11
|
|
|
+# XXX DONE XXX hostname: master02.ocp4.example.com
|
|
|
+# XXX DONE XXX - addr: 192.168.50.12
|
|
|
+# XXX DONE XXX hostname: master03.ocp4.example.com
|
|
|
+# XXX DONE XXX - addr: 192.168.50.13
|
|
|
+# XXX DONE XXX hostname: worker01.ocp4.example.com
|
|
|
+# XXX DONE XXX - addr: 192.168.50.14
|
|
|
+# XXX DONE XXX hostname: worker02.ocp4.example.com
|
|
|
+# XXX DONE XXX
|
|
|
+# XXX DONE XXX - name: Ensure dnsmasq is installed.
|
|
|
+# XXX DONE XXX ansible.builtin.yum:
|
|
|
+# XXX DONE XXX name:
|
|
|
+# XXX DONE XXX - dnsmasq
|
|
|
+# XXX DONE XXX - dnsmasq-utils
|
|
|
+# XXX DONE XXX state: present
|
|
|
+# XXX DONE XXX
|
|
|
+# XXX DONE XXX - name: Ensure dnsmasq is listening on all interfaces
|
|
|
+# XXX DONE XXX ansible.builtin.lineinfile:
|
|
|
+# XXX DONE XXX path: /etc/dnsmasq.conf
|
|
|
+# XXX DONE XXX mode: 0644
|
|
|
+# XXX DONE XXX regex: "^interface=(.*)$"
|
|
|
+# XXX DONE XXX line: '#interface=\g<1>'
|
|
|
+# XXX DONE XXX backrefs: yes
|
|
|
+# XXX DONE XXX
|
|
|
+# XXX DONE XXX - name: Ensure dnsmasq is enabled and running.
|
|
|
+# XXX DONE XXX ansible.builtin.systemd_service:
|
|
|
+# XXX DONE XXX name: dnsmasq
|
|
|
+# XXX DONE XXX enabled: yes
|
|
|
+# XXX DONE XXX state: started
|
|
|
+# XXX DONE XXX
|
|
|
+# XXX DONE XXX - name: Ensure DNS is open in the firewall.
|
|
|
+# XXX DONE XXX ansible.posix.firewalld:
|
|
|
+# XXX DONE XXX immediate: yes
|
|
|
+# XXX DONE XXX permanent: yes
|
|
|
+# XXX DONE XXX zone: "{{ item }}"
|
|
|
+# XXX DONE XXX service: dns
|
|
|
+# XXX DONE XXX state: enabled
|
|
|
+# XXX DONE XXX loop:
|
|
|
+# XXX DONE XXX - external
|
|
|
+# XXX DONE XXX - public
|
|
|
|
|
|
- - name: Ensure dnsmasq is installed.
|
|
|
- ansible.builtin.yum:
|
|
|
- name:
|
|
|
- - dnsmasq
|
|
|
- - dnsmasq-utils
|
|
|
- state: present
|
|
|
-
|
|
|
- - name: Ensure dnsmasq is listening on all interfaces
|
|
|
+ - name: Ensure idm is in ocp4.example.com zone.
|
|
|
ansible.builtin.lineinfile:
|
|
|
- path: /etc/dnsmasq.conf
|
|
|
- mode: 0644
|
|
|
- regex: "^interface=(.*)$"
|
|
|
- line: '#interface=\g<1>'
|
|
|
- backrefs: yes
|
|
|
-
|
|
|
- - name: Ensure dnsmasq is enabled and running.
|
|
|
- ansible.builtin.systemd_service:
|
|
|
- name: dnsmasq
|
|
|
- enabled: yes
|
|
|
- state: started
|
|
|
+ path: /var/named/ocp4.example.com.db
|
|
|
+ regex: '^idm[[:space:]]'
|
|
|
+ insertafter: '.*IN NS dns\.ocp4\.example\.com\.$'
|
|
|
+ line: 'idm IN A 192.168.50.40'
|
|
|
+ notify:
|
|
|
+ - fix forward zone serial
|
|
|
+ - restart named
|
|
|
|
|
|
- - name: Ensure DNS is open in the firewall.
|
|
|
- ansible.posix.firewalld:
|
|
|
- immediate: yes
|
|
|
- permanent: yes
|
|
|
- zone: "{{ item }}"
|
|
|
- service: dns
|
|
|
- state: enabled
|
|
|
- loop:
|
|
|
- - external
|
|
|
- - public
|
|
|
+ - name: Ensure idm is in ocp4.example.com reverse zone.
|
|
|
+ ansible.builtin.lineinfile:
|
|
|
+ path: /var/named/ocp4.example.com.reverse.db
|
|
|
+ regex: '^40[[:space:]]'
|
|
|
+ insertafter: '.*IN NS dns\.ocp4\.example\.com\.$'
|
|
|
+ line: '40 IN PTR idm.ocp4.example.com.'
|
|
|
+ notify:
|
|
|
+ - fix reverse zone serial
|
|
|
+ - restart named
|
|
|
|
|
|
- name: Ensure utility allows forwarding traffic from external to public/trusted zones.
|
|
|
ansible.builtin.copy:
|
|
|
@@ -83,6 +103,23 @@
|
|
|
name: firewalld
|
|
|
state: reloaded
|
|
|
|
|
|
+ - name: fix forward zone serial
|
|
|
+ ansible.builtin.lineinfile:
|
|
|
+ path: /var/named/ocp4.example.com.db
|
|
|
+ regex: '.*; serial$'
|
|
|
+ line: " {{ ansible_facts['date_time']['year'] }}{{ ansible_facts['date_time']['month'] }}{{ ansible_facts['date_time']['day'] }}00"
|
|
|
+
|
|
|
+ - name: fix reverse zone serial
|
|
|
+ ansible.builtin.lineinfile:
|
|
|
+ path: /var/named/ocp4.example.com.reverse.db
|
|
|
+ regex: '.*; serial$'
|
|
|
+ line: " {{ ansible_facts['date_time']['year'] }}{{ ansible_facts['date_time']['month'] }}{{ ansible_facts['date_time']['day'] }}00"
|
|
|
+
|
|
|
+ - name: restart named
|
|
|
+ ansible.builtin.service:
|
|
|
+ name: named
|
|
|
+ state: restarted
|
|
|
+
|
|
|
- name: Fix registry VM configuration.
|
|
|
hosts: registry.ocp4.example.com
|
|
|
become: yes
|
|
|
@@ -98,13 +135,13 @@
|
|
|
notify:
|
|
|
- reload registry firewalld
|
|
|
|
|
|
- #- name: Ensure registry is using bastion as the DNS
|
|
|
- # community.general.nmcli:
|
|
|
- # conn_name: "System eth1"
|
|
|
- # dns4: 172.25.250.254
|
|
|
- # state: present
|
|
|
- # notify:
|
|
|
- # - bounce eth1
|
|
|
+# XXX DONE XXX #- name: Ensure registry is using bastion as the DNS
|
|
|
+# XXX DONE XXX # community.general.nmcli:
|
|
|
+# XXX DONE XXX # conn_name: "System eth1"
|
|
|
+# XXX DONE XXX # dns4: 172.25.250.254
|
|
|
+# XXX DONE XXX # state: present
|
|
|
+# XXX DONE XXX # notify:
|
|
|
+# XXX DONE XXX # - bounce eth1
|
|
|
|
|
|
handlers:
|
|
|
- name: reload registry firewalld
|
|
|
@@ -112,15 +149,15 @@
|
|
|
name: firewalld
|
|
|
state: reloaded
|
|
|
|
|
|
- #- name: reload connections
|
|
|
- # listen: bounce eth1
|
|
|
- # ansible.builtin.command: nmcli con reload
|
|
|
-
|
|
|
- #- name: take eth1 down
|
|
|
- # listen: bounce eth1
|
|
|
- # ansible.builtin.command: nmcli con down "System eth1"
|
|
|
-
|
|
|
- #- name: bring eth1 up
|
|
|
- # listen: bounce eth1
|
|
|
- # ansible.builtin.command: nmcli con up "System eth1"
|
|
|
+# XXX DONE XXX #- name: reload connections
|
|
|
+# XXX DONE XXX # listen: bounce eth1
|
|
|
+# XXX DONE XXX # ansible.builtin.command: nmcli con reload
|
|
|
+# XXX DONE XXX
|
|
|
+# XXX DONE XXX #- name: take eth1 down
|
|
|
+# XXX DONE XXX # listen: bounce eth1
|
|
|
+# XXX DONE XXX # ansible.builtin.command: nmcli con down "System eth1"
|
|
|
+# XXX DONE XXX
|
|
|
+# XXX DONE XXX #- name: bring eth1 up
|
|
|
+# XXX DONE XXX # listen: bounce eth1
|
|
|
+# XXX DONE XXX # ansible.builtin.command: nmcli con up "System eth1"
|
|
|
...
|
