Stablized firewalld and multicat-dns

fjudith · Dec 6, 2020 · eae3844 · eae3844
1 parent 0499c05
commit eae3844
Show file tree

Hide file tree

Showing 22 changed files with 180 additions and 61 deletions.
diff --git a/Inventories/vagrant/hosts.yaml b/Inventories/vagrant/hosts.yaml
@@ -1,7 +1,7 @@
 ---
 bastion:
   hosts:
-    bastion.local:
+    bastion.vagrant:
       ansible_host: 127.0.0.1
       ansible_port: 42222
   vars:
@@ -10,7 +10,7 @@ bastion:
 
 database:
   hosts:
-    database.local:
+    database.vagrant:
       ansible_host: 127.0.0.1
       ansible_port: 52222
   vars:

diff --git a/VERSION b/VERSION
@@ -0,0 +1 @@
+0.1.0-beta1
diff --git a/Vagrantfile b/Vagrantfile
@@ -15,6 +15,13 @@ def serverIP(num)
 end
 
 Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
+  # Populate boxes hosts file
+  # config.hostmanager.enabled = true
+  # config.hostmanager.manage_host = false
+  # config.hostmanager.manage_guest = true
+  # config.hostmanager.ignore_private_ip = false
+  # config.hostmanager.include_offline = true
+
   boxes.each do |boxes|
     NUMBER = 1
     config.vm.define boxes['name'] do |srv|
@@ -23,7 +30,8 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
       srv.vm.box_version = boxes['box_version'] if boxes.key? 'box_version'
       srv.vm.box_url = boxes['box_url'] if boxes.key? 'box_url'
       srv.vm.hostname = boxes['hostname']
-
+      # srv.hostmanager.aliases = ["#{boxes['hostname']}.localdomain", boxes['hostname']]
+
       # Networking.  By default a NAT interface is added.
       # Add an internal network like this:
       #   srv.vm.network 'private_network', type: 'dhcp', virtualbox__intnet: true
@@ -36,9 +44,8 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
         end
       end
 
-      # if boxes['ssh_port']
-      #   srv.vm.network :forwarded_port, guest: 22, host: boxes['ssh_port'], host_ip: '127.0.0.1', id: 'ssh'
-      # end
+      # Set private network insterface
+      srv.vm.network :private_network, ip: serverIP(NUMBER)
 
       # Copy software packages to tmp
       if boxes['forward_port']
@@ -47,9 +54,6 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
         end
       end
 
-      # Set private network insterface
-      srv.vm.network :private_network, ip: serverIP(NUMBER)
-
       # VirtualBox
       srv.vm.provider 'virtualbox' do |vb|
         vb.customize ['modifyvm', :id, '--cpus', boxes['cpus']] if boxes.key? 'cpus'
@@ -69,8 +73,8 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
 
       # Copy cloud-init files to tmp and provision
       if boxes['provision']
-        srv.vm.provision :file, :source => boxes['provision']['meta-data'], :destination => '/tmp/vagrant/cloud-init/nocloud/meta-data'
-        srv.vm.provision :file, :source => boxes['provision']['user-data'], :destination => '/tmp/vagrant/cloud-init/nocloud/user-data'
+        srv.vm.provision :file, :source => boxes['provision']['meta-data'], :destination => '/tmp/vagrant/cloud-init/nocloud-net/meta-data'
+        srv.vm.provision :file, :source => boxes['provision']['user-data'], :destination => '/tmp/vagrant/cloud-init/nocloud-net/user-data'
         srv.vm.provision :shell, :path => boxes['provision']['cloud-init'], :args => boxes['name']
       end
 
@@ -85,12 +89,18 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
         rsync__exclude: ['.vagrant/', '.vscode/', '.git/']
 
         srv.vm.provision "ansible_local" do |ansible|
+          ansible.verbose="vvv"
           ansible.become = true
           ansible.verbose = true
           ansible.playbook = boxes['ansible']['playbook']
           ansible.galaxy_roles_path = '/vagrant/roles'
           ansible.galaxy_role_file = "requirements.yaml"
-          ansible.extra_vars = { ansible_python_interpreter: "/usr/bin/python3", ansible_stdout_callback: "debug"}
+          # ansible.install_mode = "pip3_args_only"
+          # ansible.pip_args = "-r requirements.txt"
+          # ansible.extra_vars = {
+          #   ansible_python_interpreter: "/usr/bin/env python3",
+          #   ansible_stdout_callback: "debug"
+          # }
         end
 
       else

diff --git a/ansible.cfg b/ansible.cfg
@@ -1,2 +1,3 @@
 [defaults]
 remote_tmp = /tmp
+intepreter_python=/usr/bin/python3
diff --git a/hack/cloud-init/nocloud/meta-data.yaml → hack/cloud-init/nocloud-net/meta-data.yaml b/hack/cloud-init/nocloud/meta-data.yaml → hack/cloud-init/nocloud-net/meta-data.yaml
@@ -1,6 +1,6 @@
 instance-id: 0001
 hostname: localhost
 machine: x86_64
-platform: nocloud
+platform: nocloud-net
 region: localhost
 availability-zone: null
diff --git a/...cloud-init/nocloud/user-data_bastion.yaml → ...d-init/nocloud-net/user-data_bastion.yaml b/...cloud-init/nocloud/user-data_bastion.yaml → ...d-init/nocloud-net/user-data_bastion.yaml
@@ -62,6 +62,11 @@ packages:
   - python3-pip
   - python3-setuptools
   - libselinux-python3
+    # Python 2
+  - python
+  - python-pip
+  - python-setuptools
+  - libselinux-python
   # Docker engine
   - docker-ce
   - docker-ce-cli

diff --git a/...loud-init/nocloud/user-data_database.yaml → ...-init/nocloud-net/user-data_database.yaml b/...loud-init/nocloud/user-data_database.yaml → ...-init/nocloud-net/user-data_database.yaml
@@ -48,7 +48,11 @@ packages:
   - python3-pip
   - python3-setuptools
   - libselinux-python3
-
+  # Python 2
+  - python
+  - python-pip
+  - python-setuptools
+  - libselinux-python
 runcmd:
   # Install Ansible
   - ['/usr/bin/pip3', 'install', 'ansible==2.9']
diff --git a/hack/local-up-vagrant.sh b/hack/local-up-vagrant.sh
@@ -1,4 +1,6 @@
 #!/usr/bin/env bash
 export VAGRANT_WSL_ENABLE_WINDOWS_ACCESS="1"
 
+vagrant plugin install vagrant-scp && \
+vagrant plugin install vagrant-hostmanager && \
 vagrant up
diff --git a/hack/terraform/provider/virtualbox/main.tf b/hack/terraform/provider/virtualbox/main.tf
@@ -4,7 +4,7 @@ resource "virtualbox_vm" "bastion" {
   image     = var.bastion_image
   cpus      = var.bastion_cpu
   memory    = var.bastion_memory + " mib"
-  user_data = file("../../../cloud-init/nocloud/user-data_bastion.yaml")
+  user_data = file("../../../cloud-init/nocloud-net/user-data_bastion.yaml")
 
   network_adapter {
     type           = "hostonly"
@@ -18,7 +18,7 @@ resource "virtualbox_vm" "database" {
   image     = var.database_image
   cpus      = var.database_cpu
   memory    = var.database_memory + " mib"
-  user_data = file("../../../cloud-init/nocloud/user-data_database.yaml")
+  user_data = file("../../../cloud-init/nocloud-net/user-data_database.yaml")
 
   network_adapter {
     type           = "hostonly"

diff --git a/hack/vagrant/boxes-ansible.example b/hack/vagrant/boxes-ansible.example
@@ -1,6 +1,6 @@
 ---
 - name: database
-  hostname: database.local
+  hostname: database.vagrant
   description: Sybase Database server
   box: generic/centos7
   box_version: "3.1.8"
@@ -16,14 +16,14 @@
       port: 5000
       expose: 5000
   provision:
-    meta-data: ./hack/cloud-init/nocloud/meta-data.yaml
-    user-data: ./hack/cloud-init/nocloud/user-data_database.yaml
+    meta-data: ./hack/cloud-init/nocloud-net/meta-data.yaml
+    user-data: ./hack/cloud-init/nocloud-net/user-data_database.yaml
     cloud-init: ./hack/vagrant/scripts/cloud-init.sh
   ansible:
     playbook: ./hack/vagrant/playbook_database.yaml
 
 - name: bastion
-  hostname: bastion.local
+  hostname: bastion.vagrant
   description: Bastion server
   box: generic/centos7
   box_version: "3.1.8"
@@ -36,8 +36,8 @@
       port: 22
       expose: 42222
   provision:
-    meta-data: ./hack/cloud-init/nocloud/meta-data.yaml
-    user-data: ./hack/cloud-init/nocloud/user-data_bastion.yaml
+    meta-data: ./hack/cloud-init/nocloud-net/meta-data.yaml
+    user-data: ./hack/cloud-init/nocloud-net/user-data_bastion.yaml
     cloud-init: ./hack/vagrant/scripts/cloud-init.sh
   ansible:
     playbook: ./hack/vagrant/playbook_bastion.yaml
diff --git a/hack/vagrant/boxes-scripted.example b/hack/vagrant/boxes-scripted.example
@@ -1,6 +1,6 @@
 ---
 - name: database
-  hostname: database.local
+  hostname: database.vagrant
   description: Sybase Database server
   box: generic/centos7
   box_version: "3.1.8"
@@ -13,8 +13,8 @@
       port: 22
       expose: 42222
   provision:
-    meta-data: ./hack/cloud-init/nocloud/meta-data.yaml
-    user-data: ./hack/cloud-init/nocloud/user-data_database.yaml
+    meta-data: ./hack/cloud-init/nocloud-net/meta-data.yaml
+    user-data: ./hack/cloud-init/nocloud-net/user-data_database.yaml
     cloud-init: ./hack/vagrant/scripts/cloud-init.sh
   packages:
     - ./hack/vagrant/packages/ASE_Suite.linuxamd64.tgz
@@ -30,7 +30,7 @@
   install: ./hack/vagrant/scripts/install-ASE.sh
 
 - name: bastion
-  hostname: bastion.local
+  hostname: bastion.vagrant
   description: Bastion server
   box: generic/centos7
   box_version: "3.1.8"
@@ -46,8 +46,8 @@
       port: 5000
       expose: 5000
   provision:
-    meta-data: ./hack/cloud-init/nocloud/meta-data.yaml
-    user-data: ./hack/cloud-init/nocloud/user-data_bastion.yaml
+    meta-data: ./hack/cloud-init/nocloud-net/meta-data.yaml
+    user-data: ./hack/cloud-init/nocloud-net/user-data_bastion.yaml
     cloud-init: ./hack/vagrant/scripts/cloud-init.sh
   packages:
     - ./hack/vagrant/packages/ASE_Suite.linuxamd64.tgz

diff --git a/hack/vagrant/boxes.yaml b/hack/vagrant/boxes.yaml
@@ -1,9 +1,9 @@
 ---
 - name: database
-  hostname: database.local
+  hostname: database.vagrant
   description: Sybase Database server
   box: generic/centos7
-  box_version: "3.1.10"
+  box_version: "3.1.12"
   paravirtprovider: hyperv
   cpus: 2
   memory: 4096
@@ -15,17 +15,17 @@
       port: 5000
       expose: 5000
   provision:
-    meta-data: ./hack/cloud-init/nocloud/meta-data.yaml
-    user-data: ./hack/cloud-init/nocloud/user-data_database.yaml
+    meta-data: ./hack/cloud-init/nocloud-net/meta-data.yaml
+    user-data: ./hack/cloud-init/nocloud-net/user-data_database.yaml
     cloud-init: ./hack/vagrant/scripts/cloud-init.sh
   ansible:
     playbook: ./hack/vagrant/playbook_database.yaml
 
 - name: bastion
-  hostname: bastion.local
+  hostname: bastion.vagrant
   description: Bastion server
   box: generic/centos7
-  box_version: "3.1.10"
+  box_version: "3.1.12"
   paravirtprovider: hyperv
   cpus: 1
   memory: 1024
@@ -34,8 +34,8 @@
       port: 22
       expose: 42222
   provision:
-    meta-data: ./hack/cloud-init/nocloud/meta-data.yaml
-    user-data: ./hack/cloud-init/nocloud/user-data_bastion.yaml
+    meta-data: ./hack/cloud-init/nocloud-net/meta-data.yaml
+    user-data: ./hack/cloud-init/nocloud-net/user-data_bastion.yaml
     cloud-init: ./hack/vagrant/scripts/cloud-init.sh
   ansible:
     playbook: ./hack/vagrant/playbook_bastion.yaml
diff --git a/hack/vagrant/playbook_bastion.yaml b/hack/vagrant/playbook_bastion.yaml
@@ -1,6 +1,8 @@
 - hosts: bastion
   gather_facts: false
+  vars:
   roles:
+    - common-firewall
     - sybase-ocs
     - openjdk-8
     - liquibase
diff --git a/hack/vagrant/playbook_database.yaml b/hack/vagrant/playbook_database.yaml
@@ -1,4 +1,5 @@
 - hosts: database
   gather_facts: false
   roles:
+    - common-firewall
     - sybase-ase
diff --git a/hack/vagrant/scripts/cloud-init.sh b/hack/vagrant/scripts/cloud-init.sh
@@ -3,17 +3,41 @@
 set -ex
 
 SUCCESS_INDICATOR=/opt/.vagrant_provision_success
-DATA_SOURCE=/var/lib/cloud/seed/nocloud
-META_DATA=/tmp/vagrant/cloud-init/nocloud/meta-data
-USER_DATA=/tmp/vagrant/cloud-init/nocloud/user-data
+DATA_SOURCE=/var/lib/cloud/seed/nocloud-net
+META_DATA=/tmp/vagrant/cloud-init/nocloud-net/meta-data
+USER_DATA=/tmp/vagrant/cloud-init/nocloud-net/user-data
 
 # confirm this is a centos box
 [[ ! -f /etc/centos-release ]] && exit 1
 
 # check if vagrant_provision has run before
 [[ -f $SUCCESS_INDICATOR ]] && exit 0
 
-yum install -y epel-release cloud-init
+yum install -y epel-release
+yum install -y cloud-init avahi avahi-tools nss-mdns
+
+# HACK: mDNS has an issue where other clients cannot resolve this host after vagrant halt/suspend
+hostname "$1"
+
+# enable Multicast DNS
+sed -i.bak -e 's/^hosts:.*/hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4/g' /etc/nsswitch.conf
+systemctl restart avahi-daemon
+systemctl enable avahi-daemon
+
+# HACK: mDNS has an issue where other clients cannot resolve this host after vagrant halt/suspend
+cat << EOF > /etc/NetworkManager/dispatcher.d/ifup-local
+#!/bin/sh
+case "\$1" in
+    eth*)
+        # Record event in /var/log/messages
+        logger "\$1 has come up... resetting hostname to $1 and restarting avahi-daemon.service - this is a hack"
+        hostname "$1"
+        systemctl restart avahi-daemon.service
+        ;;
+esac
+exit 0
+EOF
+chmod 700 /etc/NetworkManager/dispatcher.d/ifup-local
 
 # write cloud-init files
 mkdir -p $DATA_SOURCE

diff --git a/requirements.txt b/requirements.txt
@@ -0,0 +1,5 @@
+ansible==2.9.15
+boto3==1.16.30
+boto==2.49.0
+lxml==4.6.2
+jinja2==2.11.2
diff --git a/roles/common-firewall/defaults/main.yaml b/roles/common-firewall/defaults/main.yaml
@@ -0,0 +1,10 @@
+firewall:
+  enabled: true
+  zones:
+    - zone: trusted
+      interface: eth1
+  rules:
+    - zone: trusted
+      service: mdns
+    - zone: public
+      service: mdns
diff --git a/roles/common-firewall/handlers/main.yaml b/roles/common-firewall/handlers/main.yaml
@@ -0,0 +1,12 @@
+- name: Reload firewall rules
+  command: firewall-cmd --reload
+
+- name: Restart firewalld
+  service:
+    name: firewalld
+    state: restarted
+
+- name: Restart network
+  service:
+    name: network
+    state: restarted