Update to 2022-09-22 16:00

2022-09-22 16:00:09 +02:00 · 2022-09-22 16:00:09 +02:00 · 529151748a
commit 529151748a
parent 8b40e52ebe
4 changed files with 58 additions and 5 deletions
--- a/roles/nomad/files/iptables_cleanup.pl
+++ b/roles/nomad/files/iptables_cleanup.pl
@ -0,0 +1,28 @@
+#!/usr/bin/env perl
+  
+use warnings;
+use strict;
+
+my $ipt = $ARGV[0];
+
+open(IPT, '<', $ipt) or die "Couldn't open $ipt\n";
+my @rules = ();
+my $change = 0;
+while (<IPT>){
+  chomp;
+  if (
+      (m/(^:|.*\-[Aj]\s+)(CNI|NOMAD\-(?!ADMIN)|DOCKER).*/) or
+      (m/.*-A\s+NOMAD\-ADMIN/ and not m/\-\-comment\s+"ansible/) or
+      (m/.*\-o\s+docker0.*/)
+     ){
+    $change = 1;
+    next;
+  }
+  push @rules, $_;
+}
+close IPT;
+if ($change){
+  open(IPT, '>', $ipt) or die "Couldn't open $ipt\n";
+  print IPT join("\n", @rules);
+  close IPT;
+}
--- a/roles/nomad/tasks/install.yml
+++ b/roles/nomad/tasks/install.yml
@ -122,11 +122,6 @@
  when: nomad_vault_secrets.pki.enabled or nomad_vault_secrets.consul_pki.enabled
  tags: nomad

- name: Reload systemd
-  systemd: daemon_reload=True
-  when: nomad_unit.changed or (nomad_consul_tpl_unit is defined and nomad_consul_tpl_unit.changed)
-  tags: nomad
-
 - name: Install backup hooks
  template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/nomad mode=755
  loop:
@ -134,3 +129,17 @@
    - post
  tags: nomad

+- name: Install iptables cleanup script
+  copy: src=iptables_cleanup.pl dest={{ nomad_root_dir }}/bin/iptables_cleanup.pl mode=755
+  tags: nomad
+
+- name: Install iptables-nomad-cleanup unit
+  template: src=iptables-nomad-cleanup.service.j2 dest=/etc/systemd/system/iptables-nomad-cleanup.service
+  register: nomad_ipt_cleanup_unit
+  tags: nomad
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: nomad_unit.changed or nomad_ipt_cleanup_unit.changed or (nomad_consul_tpl_unit is defined and nomad_consul_tpl_unit.changed)
+  tags: nomad
+
--- a/roles/nomad/tasks/services.yml
+++ b/roles/nomad/tasks/services.yml
@ -11,3 +11,9 @@
    state: "{{ (nomad_vault_secrets.pki.enabled or nomad_vault_secrets.consul_pki.enabled or nomad_vault_secrets.tokens.enabled) | ternary('started', 'stopped') }}"
    enabled: "{{ (nomad_vault_secrets.pki.enabled or nomad_vault_secrets.consul_pki.enabled or nomad_vault_secrets.tokens.enabled) | ternary(True, False) }}"
  tags: nomad
+
+- name: Handle iptables-nomad-cleanup service
+  service:
+    name: iptables-nomad-cleanup
+    enabled: "{{ (nomad_conf.client.enabled and iptables_manage | default(True)) | ternary(True, False) }}"
+  tags: nomad
--- a/roles/nomad/templates/iptables-nomad-cleanup.service.j2
+++ b/roles/nomad/templates/iptables-nomad-cleanup.service.j2
@ -0,0 +1,10 @@
+[Unit]
+Description=Cleanup Nomad and Docker runtime rules
+Before=iptables.service
+
+[Service]
+Type=oneshot
+ExecStart=/bin/perl {{ nomad_root_dir }}/bin/iptables_cleanup.pl /etc/sysconfig/iptables
+
+[Install]
+WantedBy=multi-user.target