On Mon, 02 Feb 2015 15:59:15 +0100 Miroslav Suchý <msuchy@xxxxxxxxxx> wrote: > How do we open ports in ansible today? > > I want to open port 5672 for 172.24.0.10/24. Currently it is open > only to: > > [root@fed-cloud09 ~]# iptables-save |grep 5672 > -A INPUT -s 209.132.184.9/32 -p tcp -m multiport --dports 5671,5672 > -m comment --comment "001 amqp incoming amqp_209.132.184.9" -j ACCEPT > > So I done this change: > > diff --git a/inventory/host_vars/fed-cloud09.cloud.fedoraproject.org > b/inventory/host_vars/fed-cloud09.cloud.fedoraproject.org > index 2559de1..4a96e81 100644 > --- a/inventory/host_vars/fed-cloud09.cloud.fedoraproject.org > +++ b/inventory/host_vars/fed-cloud09.cloud.fedoraproject.org > @@ -1,2 +1,3 @@ > --- > root_auth_users: msuchy > +tcp_ports: [ 80, 443, 5672 ] > > But it have no effect (yes, I run the playbook again). > What is our best practice now and where I made mistake? The issue is that that is set in the 'base' role, but we didn't add that to the fed-cloud09 box. I didn't add it because there's a few things that wouldn't work there. For example, rsyslog logging to our central logging host (it works for our other machines because they are in phx2 or on our vpn, but we don't want the cloud machines on the vpn). So, the two options are: we could add the base role and tweak it to not do things on cloud that won't work there. Or Just copy paste the iptables section from base role and adjust the path to the iptables templates kevin
Attachment:
pgpgsInIT8KiX.pgp
Description: OpenPGP digital signature
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure