On Tue, 18 Sep 2018 at 00:13, Patrick Uiterwijk <puiterwijk@xxxxxxxxxx> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi all,
>
> For compatibility with openshift, we need openvpn to use tun1 on the openshift nodes.
> While this does happen automatically if openvpn starts after the openshift SDN pod,
> this is not always the case.
> Can I get +1s for the patches I rolled out to make sure this happens?
> (The second one was because I had the variable name wrong.)
>
Retroactive +1
>
> commit 8ad630412f6abd082d08a628260b408d88d99b21
> Author: Patrick Uiterwijk <patrick@xxxxxxxxxxxxxx>
> Date: Tue Sep 18 05:49:15 2018 +0200
>
> Make OpenVPN use tun1 for os-node's
>
> Signed-off-by: Patrick Uiterwijk <patrick@xxxxxxxxxxxxxx>
>
> diff --git a/roles/openvpn/client/tasks/main.yml b/roles/openvpn/client/tasks/main.yml
> index 27c150d16..1ed3d173b 100644
> - --- a/roles/openvpn/client/tasks/main.yml
> +++ b/roles/openvpn/client/tasks/main.yml
> @@ -19,14 +19,24 @@
> - openvpn
> when: ansible_distribution_major_version|int > 7 and ansible_cmdline.ostree is not defined
>
> +- name: Install main config file (rhel7 and fedora)
> + template: src=client.conf
> + dest=/etc/openvpn/client/openvpn.conf
> + owner=root group=root mode=0644
> + tags:
> + - install
> + - openvpn
> +# notify:
> +# - restart openvpn (Fedora)
> +# - restart openvpn (RHEL7)
> +# - restart openvpn (RHEL6)
> + when: ( ansible_distribution_major_version|int != 6 and ansible_distribution_major_version|int != 24) and ansible_cmdline.ostree is not defined
> +
> - name: Install configuration files (rhel7 and fedora)
> copy: src={{ item.file }}
> dest={{ item.dest }}
> owner=root group=root mode={{ item.mode }}
> with_items:
> - - - { file: client.conf,
> - - dest: /etc/openvpn/client/openvpn.conf,
> - - mode: '0644' }
> - { file: "{{ private }}/files/vpn/pki/issued/{{ inventory_hostname }}.crt",
> dest: "/etc/openvpn/client/client.crt",
> mode: '0600' }
> diff --git a/roles/openvpn/client/files/client.conf b/roles/openvpn/client/templates/client.conf
> similarity index 70%
> rename from roles/openvpn/client/files/client.conf
> rename to roles/openvpn/client/templates/client.conf
> index 5042ed6e2..f398c9a39 100644
> - --- a/roles/openvpn/client/files/client.conf
> +++ b/roles/openvpn/client/templates/client.conf
> @@ -1,6 +1,11 @@
> client
>
> +{% if hostname.startswith("os-node") %}
> +# OpenShift REALLY wants tun0. Let's make sure openvpn doesn't claim it
> +dev tun1
> +{% else %}
> dev tun
> +{% endif %}
>
> proto udp
>
>
>
> commit 325155810b8a0f0bbf929587316e1ae97d2b6565 (HEAD -> master, origin/master, origin/HEAD)
> Author: Patrick Uiterwijk <patrick@xxxxxxxxxxxxxx>
> Date: Tue Sep 18 05:51:46 2018 +0200
>
> Actually use the ansible hostname
>
> Signed-off-by: Patrick Uiterwijk <patrick@xxxxxxxxxxxxxx>
>
> diff --git a/roles/openvpn/client/templates/client.conf b/roles/openvpn/client/templates/client.conf
> index f398c9a39..11372910b 100644
> - --- a/roles/openvpn/client/templates/client.conf
> +++ b/roles/openvpn/client/templates/client.conf
> @@ -1,6 +1,6 @@
> client
>
> - -{% if hostname.startswith("os-node") %}
> +{% if ansible_hostname.startswith("os-node") %}
> # OpenShift REALLY wants tun0. Let's make sure openvpn doesn't claim it
> dev tun1
> {% else %}
> -----BEGIN PGP SIGNATURE-----
>
> iQIcBAEBCgAGBQJboHsaAAoJEIZXmA2atR5QJ1MP/Rm8T8GFuIznzGo80ypxb891
> x310k+PrOkJ0kOxnY086dqCqNxPsFLVnFpGHWUAo3Y/8q/85HeJHHP/6iDuxYb37
> /dghRacim8PIEsf4PAAMulqOhpGDKfZ/bMTJrQOp/eOSc8MQkdkabXYAPgH6RyrX
> uJXrHn4Xx+REZEjOR5dbZJahqfeRbUpU84TNfVPgu5NCgCyYg/eGZr0MaV06Fxcp
> T4m9VbN1MCxn/aX6I4yq7EO3QWhfe5iB3tNKa0emZYqkTTwYWImK6m+bEfA8FWzn
> gyyeS1m2nPQm2vjPefp+k//oFo9JARUHCpR9HBJb+A3ctJVXiZAr3W0PgXhYdPNp
> Ocrhd2TvHfQP62mOh7UwIrPuheFxxY3P8OPNWmkTyLtAfQN/5zSwaig/fX4A+XqP
> 4z/TXdMMWVBrq5a4pH8vn8jwDeI4Q4dgpH7Nj4WlAQ3TUFssiEki5MPiCLU8R6/B
> xqvwVl4DqxERS1nUlB5TANTdyDYYTbpA4Tukr8qhQxXnbWD1VezeoE+WCZn+94jL
> bX1J86g2hJz8xBJWWfSHoSI2ncBzPUScSyJkGxSozBSbvcKzPumF3FGHcsoFIZwa
> KDRXALPsXm5t15EnY1Ylg/ILxIaZNygxyDGq6Ryu1giTjZEnCyFWwl5Vvjq+hewO
> ZqdNr3jnf8pQLsTdxcKT
> =siP7
> -----END PGP SIGNATURE-----
> _______________________________________________
> infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
--
Stephen J Smoogen.
_______________________________________________
infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
