search

DICE-UNC / de-ansible

0 stars 0 forks source link

make firewalld optional/platform sensitive in bootstrap.yaml #12

Open michael-conway opened 8 years ago

michael-conway commented 8 years ago

in bootstrap.yaml get this failure at RENCI


TASK: [iptables | stop firewalld, if running] ********************************* 
failed: [dfc-test-de2.edc.renci.org] => {"failed": true}
msg: no service or tool found for: firewalld
...ignoring
failed: [dfc-test-condor2.edc.renci.org] => {"failed": true}
msg: no service or tool found for: firewalld
...ignoring
failed: [dfc-test-desrvc2.edc.renci.org] => {"failed": true}
msg: no service or tool found for: firewalld
...ignoring
failed: [dfc-test-cas2.edc.renci.org] => {"failed": true}
msg: no service or tool found for: firewalld
...ignoring

TASK: [iptables | mask firewalld service] ************************************* 
failed: [dfc-test-desrvc2.edc.renci.org] => {"changed": true, "cmd": "systemctl mask firewalld", "delta": "0:00:00.002284", "end": "2015-12-02 07:44:55.665260", "rc": 127, "start": "2015-12-02 07:44:55.662976", "warnings": []}
stderr: /bin/sh: systemctl: command not found
failed: [dfc-test-de2.edc.renci.org] => {"changed": true, "cmd": "systemctl mask firewalld", "delta": "0:00:00.002958", "end": "2015-12-02 07:44:23.252826", "rc": 127, "start": "2015-12-02 07:44:23.249868", "warnings": []}
stderr: /bin/sh: systemctl: command not found
failed: [dfc-test-condor2.edc.renci.org] => {"changed": true, "cmd": "systemctl mask firewalld", "delta": "0:00:00.003689", "end": "2015-12-02 07:45:33.810053", "rc": 127, "start": "2015-12-02 07:45:33.806364", "warnings": []}
stderr: /bin/sh: systemctl: command not found
failed: [dfc-test-cas2.edc.renci.org] => {"changed": true, "cmd": "systemctl mask firewalld", "delta": "0:00:00.002860", "end": "2015-12-02 07:45:34.736062", "rc": 127, "start": "2015-12-02 07:45:34.733202", "warnings": []}
stderr: /bin/sh: systemctl: command not found

FATAL: all hosts have already failed -- aborting

Make those tasks sensitive to whether that service is actually running

donsizemore commented 8 years ago

Mike, try it now?

michael-conway commented 8 years ago

better, fails here with undefined variable?

TASK: [iptables | insert iptables template] *********************************** 
fatal: [dfc-test-desrvc2.edc.renci.org] => {'msg': "AnsibleUndefinedVariable: One or more undefined variables: 'net_dmz' is undefined", 'failed': True}
fatal: [dfc-test-desrvc2.edc.renci.org] => {'msg': "AnsibleUndefinedVariable: One or more undefined variables: 'net_dmz' is undefined", 'failed': True}
fatal: [dfc-test-condor2.edc.renci.org] => {'msg': "AnsibleUndefinedVariable: One or more undefined variables: 'net_dmz' is undefined", 'failed': True}
fatal: [dfc-test-condor2.edc.renci.org] => {'msg': "AnsibleUndefinedVariable: One or more undefined variables: 'net_dmz' is undefined", 'failed': True}
fatal: [dfc-test-de2.edc.renci.org] => {'msg': "AnsibleUndefinedVariable: One or more undefined variables: 'net_dmz' is undefined", 'failed': True}
fatal: [dfc-test-de2.edc.renci.org] => {'msg': "AnsibleUndefinedVariable: One or more undefined variables: 'net_dmz' is undefined", 'failed': True}
fatal: [dfc-test-cas2.edc.renci.org] => {'msg': "AnsibleUndefinedVariable: One or more undefined variables: 'net_dmz' is undefined", 'failed': True}
fatal: [dfc-test-cas2.edc.renci.org] => {'msg': "AnsibleUndefinedVariable: One or more undefined variables: 'net_dmz' is undefined", 'failed': True}

FATAL: all hosts have already failed -- aborting
donsizemore commented 8 years ago

yes, i was selfish/greedy/lazy and defined some firewalld-style network ranges that we would want at Odum:

net_campus: net_dmz: net_trust: net_vpn: net_wifi:

we could eventually glom some of them together (or I could find a smarter way to break Odum's out using Ansible loops/conditionals). I imagine treating RENCI's class B as net_campus would allow everything else to fall into place, though?

donsizemore commented 8 years ago

TODO: s/ansible_os_distribution/ansible_os_family/ globally

Ansible recommends systems groups but I think the cleanest way (for now) would be for us to check for os_family instead of distro, and break out debian commands as needed.