Post-FBR: Force openvpn to use tun1

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi all,

For compatibility with openshift, we need openvpn to use tun1 on the openshift nodes.
While this does happen automatically if openvpn starts after the openshift SDN pod,
this is not always the case.
Can I get +1s for the patches I rolled out to make sure this happens?
(The second one was because I had the variable name wrong.)


commit 8ad630412f6abd082d08a628260b408d88d99b21
Author: Patrick Uiterwijk <patrick@xxxxxxxxxxxxxx>
Date:   Tue Sep 18 05:49:15 2018 +0200

    Make OpenVPN use tun1 for os-node's
    
    Signed-off-by: Patrick Uiterwijk <patrick@xxxxxxxxxxxxxx>

diff --git a/roles/openvpn/client/tasks/main.yml b/roles/openvpn/client/tasks/main.yml
index 27c150d16..1ed3d173b 100644
- --- a/roles/openvpn/client/tasks/main.yml
+++ b/roles/openvpn/client/tasks/main.yml
@@ -19,14 +19,24 @@
   - openvpn
   when: ansible_distribution_major_version|int > 7 and ansible_cmdline.ostree is not defined
 
+- name: Install main config file (rhel7 and fedora)
+  template: src=client.conf
+            dest=/etc/openvpn/client/openvpn.conf
+            owner=root group=root mode=0644
+  tags:
+  - install
+  - openvpn
+#  notify:
+#  - restart openvpn (Fedora)
+#  - restart openvpn (RHEL7)
+#  - restart openvpn (RHEL6)
+  when: ( ansible_distribution_major_version|int != 6 and ansible_distribution_major_version|int != 24) and ansible_cmdline.ostree is not defined
+
 - name: Install configuration files (rhel7 and fedora)
   copy: src={{ item.file }}
         dest={{ item.dest }}
         owner=root group=root mode={{ item.mode }}
   with_items:
- -  - { file: client.conf,
- -      dest: /etc/openvpn/client/openvpn.conf,
- -      mode: '0644' }
   - { file: "{{ private }}/files/vpn/pki/issued/{{ inventory_hostname }}.crt",
       dest: "/etc/openvpn/client/client.crt",
       mode: '0600' }
diff --git a/roles/openvpn/client/files/client.conf b/roles/openvpn/client/templates/client.conf
similarity index 70%
rename from roles/openvpn/client/files/client.conf
rename to roles/openvpn/client/templates/client.conf
index 5042ed6e2..f398c9a39 100644
- --- a/roles/openvpn/client/files/client.conf
+++ b/roles/openvpn/client/templates/client.conf
@@ -1,6 +1,11 @@
 client
 
+{% if hostname.startswith("os-node") %}
+# OpenShift REALLY wants tun0. Let's make sure openvpn doesn't claim it
+dev tun1
+{% else %}
 dev tun
+{% endif %}
 
 proto udp
 


commit 325155810b8a0f0bbf929587316e1ae97d2b6565 (HEAD -> master, origin/master, origin/HEAD)
Author: Patrick Uiterwijk <patrick@xxxxxxxxxxxxxx>
Date:   Tue Sep 18 05:51:46 2018 +0200

    Actually use the ansible hostname
    
    Signed-off-by: Patrick Uiterwijk <patrick@xxxxxxxxxxxxxx>

diff --git a/roles/openvpn/client/templates/client.conf b/roles/openvpn/client/templates/client.conf
index f398c9a39..11372910b 100644
- --- a/roles/openvpn/client/templates/client.conf
+++ b/roles/openvpn/client/templates/client.conf
@@ -1,6 +1,6 @@
 client
 
- -{% if hostname.startswith("os-node") %}
+{% if ansible_hostname.startswith("os-node") %}
 # OpenShift REALLY wants tun0. Let's make sure openvpn doesn't claim it
 dev tun1
 {% else %}
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJboHsaAAoJEIZXmA2atR5QJ1MP/Rm8T8GFuIznzGo80ypxb891
x310k+PrOkJ0kOxnY086dqCqNxPsFLVnFpGHWUAo3Y/8q/85HeJHHP/6iDuxYb37
/dghRacim8PIEsf4PAAMulqOhpGDKfZ/bMTJrQOp/eOSc8MQkdkabXYAPgH6RyrX
uJXrHn4Xx+REZEjOR5dbZJahqfeRbUpU84TNfVPgu5NCgCyYg/eGZr0MaV06Fxcp
T4m9VbN1MCxn/aX6I4yq7EO3QWhfe5iB3tNKa0emZYqkTTwYWImK6m+bEfA8FWzn
gyyeS1m2nPQm2vjPefp+k//oFo9JARUHCpR9HBJb+A3ctJVXiZAr3W0PgXhYdPNp
Ocrhd2TvHfQP62mOh7UwIrPuheFxxY3P8OPNWmkTyLtAfQN/5zSwaig/fX4A+XqP
4z/TXdMMWVBrq5a4pH8vn8jwDeI4Q4dgpH7Nj4WlAQ3TUFssiEki5MPiCLU8R6/B
xqvwVl4DqxERS1nUlB5TANTdyDYYTbpA4Tukr8qhQxXnbWD1VezeoE+WCZn+94jL
bX1J86g2hJz8xBJWWfSHoSI2ncBzPUScSyJkGxSozBSbvcKzPumF3FGHcsoFIZwa
KDRXALPsXm5t15EnY1Ylg/ILxIaZNygxyDGq6Ryu1giTjZEnCyFWwl5Vvjq+hewO
ZqdNr3jnf8pQLsTdxcKT
=siP7
-----END PGP SIGNATURE-----
_______________________________________________
infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux