csa/devops/ansible-patches/openshift.git/roles/os_firewall, branch ands Unnamed repository; edit this file 'description' to name the repository. Allow for firewalld on atomic host 2018-01-18T13:38:47+00:00 Scott Dodson sdodson@redhat.com 2018-01-17T22:23:12+00:00 4671dcc9292c2aa65e16afab323413efea5e68dc Right now this is only available on fedora so guard it with openshift_enable_unsupported_configurations 
Right now this is only available on fedora so guard it with
openshift_enable_unsupported_configurations
Migrate to import_role for static role inclusion 2018-01-05T17:44:56+00:00 Scott Dodson sdodson@redhat.com 2018-01-05T17:44:56+00:00 eacc12897ca86a255f89b8a4537ce2b7004cf319 In Ansible 2.2, the include_role directive came into existence as a Tech Preview. It is still a Tech Preview through Ansible 2.4 (and in current devel branch), but with a noteable change. The default behavior switched from static: true to static: false because that functionality moved to the newly introduced import_role directive (in order to stay consistent with include* being dynamic in nature and `import* being static in nature). The dynamic include is considerably more memory intensive as it will dynamically create a role import for every host in the inventory list to be used. (Also worth noting, there is at the time of this writing an object allocation inefficiency in the dynamic include that can in certain situations amplify this effect considerably) This change is meant to mitigate the pressure on memory for the Ansible control host. We need to evaluate where it makes sense to dynamically include roles and revert back to dynamic inclusion if and where it makes sense to do so. 
In Ansible 2.2, the include_role directive came into existence as
a Tech Preview. It is still a Tech Preview through Ansible 2.4
(and in current devel branch), but with a noteable change. The
default behavior switched from static: true to static: false
because that functionality moved to the newly introduced
import_role directive (in order to stay consistent with include*
being dynamic in nature and `import* being static in nature).

The dynamic include is considerably more memory intensive as it will
dynamically create a role import for every host in the inventory
list to be used. (Also worth noting, there is at the time of this
writing an object allocation inefficiency in the dynamic include
that can in certain situations amplify this effect considerably)

This change is meant to mitigate the pressure on memory for the
Ansible control host.

We need to evaluate where it makes sense to dynamically include roles
and revert back to dynamic inclusion if and where it makes sense to do
so.
Deprecate using Ansible tests as filters 2017-12-14T21:03:44+00:00 Russell Teague rteague@redhat.com 2017-12-14T20:00:59+00:00 c113074f5b84881f416aca40e2bf4e20d4e6ce41 






retry package operations
2017-11-30T21:45:20+00:00

Luke Meyer
lmeyer@redhat.com

2017-11-28T20:46:50+00:00

fbb4e1ca73fd39ce9f18fa7c6f05766ccb0e484a

When a package install/update fails due to network blips or other spotty
availability, retry it. If the failure is a real failure (e.g. package
is really not there) it still fails after 3 tries (Ansible default).





When a package install/update fails due to network blips or other spotty
availability, retry it. If the failure is a real failure (e.g. package
is really not there) it still fails after 3 tries (Ansible default).







Include Deprecation - openshift-loadbalancer
2017-11-22T14:51:43+00:00

Russell Teague
rteague@redhat.com

2017-11-22T14:51:43+00:00

508ea5e5e6fff3010400ab90a15296426884f7f5












Only attempt to start iptables on hosts in the current batch
2017-09-14T02:31:25+00:00

Scott Dodson
sdodson@redhat.com

2017-09-14T02:31:25+00:00

fbe584a902a10214270cf7060d60aaa911e7ffa7

If os_firewall role is called from within a play that uses serial then
it was attempting to start iptables on hosts that may not have had
iptables installed on them yet. So limit the hosts to the current batch.
According to the ansible docs on plays where serial is unused this is
the same as ansible_play_hosts.

See http://docs.ansible.com/ansible/latest/playbooks_variables.html

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1490739





If os_firewall role is called from within a play that uses serial then
it was attempting to start iptables on hosts that may not have had
iptables installed on them yet. So limit the hosts to the current batch.
According to the ansible docs on plays where serial is unused this is
the same as ansible_play_hosts.

See http://docs.ansible.com/ansible/latest/playbooks_variables.html

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1490739







Default to global setting for firewall.
2017-08-25T19:50:35+00:00

Kenny Woodson
kwoodson@redhat.com

2017-08-25T19:50:35+00:00

d9d39f333fe7a68440faa1d433809f6f86bd116d












Additional os_firewall role refactoring
2017-08-15T14:12:07+00:00

Russell Teague
rteague@redhat.com

2017-08-14T19:25:28+00:00

ece3cf9aa66e0974e7f30ffb5798b23c64fd04cc

* Remove openshift_facts dependency
* Move firewall initialization from std_include.yml to
openshift_cluster/config.yml

Installing firewall packages is only necessary during OpenShift
installation.





* Remove openshift_facts dependency
* Move firewall initialization from std_include.yml to
openshift_cluster/config.yml

Installing firewall packages is only necessary during OpenShift
installation.







Merge pull request #5051 from DenverJ/fix-iptables-reload
2017-08-15T13:53:19+00:00

Scott Dodson
sdodson@redhat.com

2017-08-15T13:53:19+00:00

0a439f29d56f152f60d360546e83a5130656c7a6

Start iptables on each master in serial




Start iptables on each master in serial






Updated README to reflect refactor.  Moved firewall initialize into separate file.
2017-08-11T02:59:48+00:00

Kenny Woodson
kwoodson@redhat.com

2017-08-11T01:13:54+00:00

7d50ffe98dfa17e3fb72627699c794843ed5295d