diff --git a/roles/nomad/files/iptables_cleanup.pl b/roles/nomad/files/iptables_cleanup.pl new file mode 100644 index 0000000..4c643d6 --- /dev/null +++ b/roles/nomad/files/iptables_cleanup.pl @@ -0,0 +1,28 @@ +#!/usr/bin/env perl + +use warnings; +use strict; + +my $ipt = $ARGV[0]; + +open(IPT, '<', $ipt) or die "Couldn't open $ipt\n"; +my @rules = (); +my $change = 0; +while (){ + chomp; + if ( + (m/(^:|.*\-[Aj]\s+)(CNI|NOMAD\-(?!ADMIN)|DOCKER).*/) or + (m/.*-A\s+NOMAD\-ADMIN/ and not m/\-\-comment\s+"ansible/) or + (m/.*\-o\s+docker0.*/) + ){ + $change = 1; + next; + } + push @rules, $_; +} +close IPT; +if ($change){ + open(IPT, '>', $ipt) or die "Couldn't open $ipt\n"; + print IPT join("\n", @rules); + close IPT; +} diff --git a/roles/nomad/tasks/install.yml b/roles/nomad/tasks/install.yml index 6d66fee..88e6904 100644 --- a/roles/nomad/tasks/install.yml +++ b/roles/nomad/tasks/install.yml @@ -122,11 +122,6 @@ when: nomad_vault_secrets.pki.enabled or nomad_vault_secrets.consul_pki.enabled tags: nomad -- name: Reload systemd - systemd: daemon_reload=True - when: nomad_unit.changed or (nomad_consul_tpl_unit is defined and nomad_consul_tpl_unit.changed) - tags: nomad - - name: Install backup hooks template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/nomad mode=755 loop: @@ -134,3 +129,17 @@ - post tags: nomad +- name: Install iptables cleanup script + copy: src=iptables_cleanup.pl dest={{ nomad_root_dir }}/bin/iptables_cleanup.pl mode=755 + tags: nomad + +- name: Install iptables-nomad-cleanup unit + template: src=iptables-nomad-cleanup.service.j2 dest=/etc/systemd/system/iptables-nomad-cleanup.service + register: nomad_ipt_cleanup_unit + tags: nomad + +- name: Reload systemd + systemd: daemon_reload=True + when: nomad_unit.changed or nomad_ipt_cleanup_unit.changed or (nomad_consul_tpl_unit is defined and nomad_consul_tpl_unit.changed) + tags: nomad + diff --git a/roles/nomad/tasks/services.yml b/roles/nomad/tasks/services.yml index 8f4d1a6..0c7e0ac 100644 --- a/roles/nomad/tasks/services.yml +++ b/roles/nomad/tasks/services.yml @@ -11,3 +11,9 @@ state: "{{ (nomad_vault_secrets.pki.enabled or nomad_vault_secrets.consul_pki.enabled or nomad_vault_secrets.tokens.enabled) | ternary('started', 'stopped') }}" enabled: "{{ (nomad_vault_secrets.pki.enabled or nomad_vault_secrets.consul_pki.enabled or nomad_vault_secrets.tokens.enabled) | ternary(True, False) }}" tags: nomad + +- name: Handle iptables-nomad-cleanup service + service: + name: iptables-nomad-cleanup + enabled: "{{ (nomad_conf.client.enabled and iptables_manage | default(True)) | ternary(True, False) }}" + tags: nomad diff --git a/roles/nomad/templates/iptables-nomad-cleanup.service.j2 b/roles/nomad/templates/iptables-nomad-cleanup.service.j2 new file mode 100644 index 0000000..d37366f --- /dev/null +++ b/roles/nomad/templates/iptables-nomad-cleanup.service.j2 @@ -0,0 +1,10 @@ +[Unit] +Description=Cleanup Nomad and Docker runtime rules +Before=iptables.service + +[Service] +Type=oneshot +ExecStart=/bin/perl {{ nomad_root_dir }}/bin/iptables_cleanup.pl /etc/sysconfig/iptables + +[Install] +WantedBy=multi-user.target