-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi all,
For compatibility with openshift, we need openvpn to use tun1 on the openshift nodes. While this does happen automatically if openvpn starts after the openshift SDN pod, this is not always the case. Can I get +1s for the patches I rolled out to make sure this happens? (The second one was because I had the variable name wrong.)
commit 8ad630412f6abd082d08a628260b408d88d99b21 Author: Patrick Uiterwijk patrick@puiterwijk.org Date: Tue Sep 18 05:49:15 2018 +0200
Make OpenVPN use tun1 for os-node's
Signed-off-by: Patrick Uiterwijk patrick@puiterwijk.org
diff --git a/roles/openvpn/client/tasks/main.yml b/roles/openvpn/client/tasks/main.yml index 27c150d16..1ed3d173b 100644 - --- a/roles/openvpn/client/tasks/main.yml +++ b/roles/openvpn/client/tasks/main.yml @@ -19,14 +19,24 @@ - openvpn when: ansible_distribution_major_version|int > 7 and ansible_cmdline.ostree is not defined
+- name: Install main config file (rhel7 and fedora) + template: src=client.conf + dest=/etc/openvpn/client/openvpn.conf + owner=root group=root mode=0644 + tags: + - install + - openvpn +# notify: +# - restart openvpn (Fedora) +# - restart openvpn (RHEL7) +# - restart openvpn (RHEL6) + when: ( ansible_distribution_major_version|int != 6 and ansible_distribution_major_version|int != 24) and ansible_cmdline.ostree is not defined + - name: Install configuration files (rhel7 and fedora) copy: src={{ item.file }} dest={{ item.dest }} owner=root group=root mode={{ item.mode }} with_items: - - - { file: client.conf, - - dest: /etc/openvpn/client/openvpn.conf, - - mode: '0644' } - { file: "{{ private }}/files/vpn/pki/issued/{{ inventory_hostname }}.crt", dest: "/etc/openvpn/client/client.crt", mode: '0600' } diff --git a/roles/openvpn/client/files/client.conf b/roles/openvpn/client/templates/client.conf similarity index 70% rename from roles/openvpn/client/files/client.conf rename to roles/openvpn/client/templates/client.conf index 5042ed6e2..f398c9a39 100644 - --- a/roles/openvpn/client/files/client.conf +++ b/roles/openvpn/client/templates/client.conf @@ -1,6 +1,11 @@ client
+{% if hostname.startswith("os-node") %} +# OpenShift REALLY wants tun0. Let's make sure openvpn doesn't claim it +dev tun1 +{% else %} dev tun +{% endif %}
proto udp
commit 325155810b8a0f0bbf929587316e1ae97d2b6565 (HEAD -> master, origin/master, origin/HEAD) Author: Patrick Uiterwijk patrick@puiterwijk.org Date: Tue Sep 18 05:51:46 2018 +0200
Actually use the ansible hostname
Signed-off-by: Patrick Uiterwijk patrick@puiterwijk.org
diff --git a/roles/openvpn/client/templates/client.conf b/roles/openvpn/client/templates/client.conf index f398c9a39..11372910b 100644 - --- a/roles/openvpn/client/templates/client.conf +++ b/roles/openvpn/client/templates/client.conf @@ -1,6 +1,6 @@ client
- -{% if hostname.startswith("os-node") %} +{% if ansible_hostname.startswith("os-node") %} # OpenShift REALLY wants tun0. Let's make sure openvpn doesn't claim it dev tun1 {% else %}
On Tue, Sep 18, 2018 at 06:12:10AM +0200, Patrick Uiterwijk wrote:
Hi all,
For compatibility with openshift, we need openvpn to use tun1 on the openshift nodes. While this does happen automatically if openvpn starts after the openshift SDN pod, this is not always the case. Can I get +1s for the patches I rolled out to make sure this happens? (The second one was because I had the variable name wrong.)
commit 8ad630412f6abd082d08a628260b408d88d99b21 Author: Patrick Uiterwijk patrick@puiterwijk.org Date: Tue Sep 18 05:49:15 2018 +0200
Make OpenVPN use tun1 for os-node's Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
diff --git a/roles/openvpn/client/tasks/main.yml b/roles/openvpn/client/tasks/main.yml index 27c150d16..1ed3d173b 100644 --- a/roles/openvpn/client/tasks/main.yml +++ b/roles/openvpn/client/tasks/main.yml @@ -19,14 +19,24 @@
- openvpn
when: ansible_distribution_major_version|int > 7 and ansible_cmdline.ostree is not defined
+- name: Install main config file (rhel7 and fedora)
- template: src=client.conf
dest=/etc/openvpn/client/openvpn.conf
owner=root group=root mode=0644
- tags:
- install
- openvpn
+# notify: +# - restart openvpn (Fedora) +# - restart openvpn (RHEL7) +# - restart openvpn (RHEL6)
- when: ( ansible_distribution_major_version|int != 6 and ansible_distribution_major_version|int != 24) and ansible_cmdline.ostree is not defined
- name: Install configuration files (rhel7 and fedora) copy: src={{ item.file }} dest={{ item.dest }} owner=root group=root mode={{ item.mode }} with_items:
- { file: client.conf,
dest: /etc/openvpn/client/openvpn.conf,
mode: '0644' }
- { file: "{{ private }}/files/vpn/pki/issued/{{ inventory_hostname }}.crt", dest: "/etc/openvpn/client/client.crt", mode: '0600' }
diff --git a/roles/openvpn/client/files/client.conf b/roles/openvpn/client/templates/client.conf similarity index 70% rename from roles/openvpn/client/files/client.conf rename to roles/openvpn/client/templates/client.conf index 5042ed6e2..f398c9a39 100644 --- a/roles/openvpn/client/files/client.conf +++ b/roles/openvpn/client/templates/client.conf @@ -1,6 +1,11 @@ client
+{% if hostname.startswith("os-node") %} +# OpenShift REALLY wants tun0. Let's make sure openvpn doesn't claim it +dev tun1 +{% else %} dev tun +{% endif %}
proto udp
commit 325155810b8a0f0bbf929587316e1ae97d2b6565 (HEAD -> master, origin/master, origin/HEAD) Author: Patrick Uiterwijk patrick@puiterwijk.org Date: Tue Sep 18 05:51:46 2018 +0200
Actually use the ansible hostname Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
diff --git a/roles/openvpn/client/templates/client.conf b/roles/openvpn/client/templates/client.conf index f398c9a39..11372910b 100644 --- a/roles/openvpn/client/templates/client.conf +++ b/roles/openvpn/client/templates/client.conf @@ -1,6 +1,6 @@ client
-{% if hostname.startswith("os-node") %} +{% if ansible_hostname.startswith("os-node") %} # OpenShift REALLY wants tun0. Let's make sure openvpn doesn't claim it dev tun1 {% else %}
+1 for me
Pierre
On Tue, 18 Sep 2018 at 00:13, Patrick Uiterwijk puiterwijk@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi all,
For compatibility with openshift, we need openvpn to use tun1 on the openshift nodes. While this does happen automatically if openvpn starts after the openshift SDN pod, this is not always the case. Can I get +1s for the patches I rolled out to make sure this happens? (The second one was because I had the variable name wrong.)
Retroactive +1
commit 8ad630412f6abd082d08a628260b408d88d99b21 Author: Patrick Uiterwijk patrick@puiterwijk.org Date: Tue Sep 18 05:49:15 2018 +0200
Make OpenVPN use tun1 for os-node's Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
diff --git a/roles/openvpn/client/tasks/main.yml b/roles/openvpn/client/tasks/main.yml index 27c150d16..1ed3d173b 100644
- --- a/roles/openvpn/client/tasks/main.yml
+++ b/roles/openvpn/client/tasks/main.yml @@ -19,14 +19,24 @@
- openvpn
when: ansible_distribution_major_version|int > 7 and ansible_cmdline.ostree is not defined
+- name: Install main config file (rhel7 and fedora)
- template: src=client.conf
dest=/etc/openvpn/client/openvpn.conf
owner=root group=root mode=0644
- tags:
- install
- openvpn
+# notify: +# - restart openvpn (Fedora) +# - restart openvpn (RHEL7) +# - restart openvpn (RHEL6)
- when: ( ansible_distribution_major_version|int != 6 and ansible_distribution_major_version|int != 24) and ansible_cmdline.ostree is not defined
- name: Install configuration files (rhel7 and fedora) copy: src={{ item.file }} dest={{ item.dest }} owner=root group=root mode={{ item.mode }} with_items:
- { file: client.conf,
dest: /etc/openvpn/client/openvpn.conf,
mode: '0644' }
- { file: "{{ private }}/files/vpn/pki/issued/{{ inventory_hostname }}.crt", dest: "/etc/openvpn/client/client.crt", mode: '0600' }
diff --git a/roles/openvpn/client/files/client.conf b/roles/openvpn/client/templates/client.conf similarity index 70% rename from roles/openvpn/client/files/client.conf rename to roles/openvpn/client/templates/client.conf index 5042ed6e2..f398c9a39 100644
- --- a/roles/openvpn/client/files/client.conf
+++ b/roles/openvpn/client/templates/client.conf @@ -1,6 +1,11 @@ client
+{% if hostname.startswith("os-node") %} +# OpenShift REALLY wants tun0. Let's make sure openvpn doesn't claim it +dev tun1 +{% else %} dev tun +{% endif %}
proto udp
commit 325155810b8a0f0bbf929587316e1ae97d2b6565 (HEAD -> master, origin/master, origin/HEAD) Author: Patrick Uiterwijk patrick@puiterwijk.org Date: Tue Sep 18 05:51:46 2018 +0200
Actually use the ansible hostname Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
diff --git a/roles/openvpn/client/templates/client.conf b/roles/openvpn/client/templates/client.conf index f398c9a39..11372910b 100644
- --- a/roles/openvpn/client/templates/client.conf
+++ b/roles/openvpn/client/templates/client.conf @@ -1,6 +1,6 @@ client
- -{% if hostname.startswith("os-node") %}
+{% if ansible_hostname.startswith("os-node") %} # OpenShift REALLY wants tun0. Let's make sure openvpn doesn't claim it dev tun1 {% else %} -----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJboHsaAAoJEIZXmA2atR5QJ1MP/Rm8T8GFuIznzGo80ypxb891 x310k+PrOkJ0kOxnY086dqCqNxPsFLVnFpGHWUAo3Y/8q/85HeJHHP/6iDuxYb37 /dghRacim8PIEsf4PAAMulqOhpGDKfZ/bMTJrQOp/eOSc8MQkdkabXYAPgH6RyrX uJXrHn4Xx+REZEjOR5dbZJahqfeRbUpU84TNfVPgu5NCgCyYg/eGZr0MaV06Fxcp T4m9VbN1MCxn/aX6I4yq7EO3QWhfe5iB3tNKa0emZYqkTTwYWImK6m+bEfA8FWzn gyyeS1m2nPQm2vjPefp+k//oFo9JARUHCpR9HBJb+A3ctJVXiZAr3W0PgXhYdPNp Ocrhd2TvHfQP62mOh7UwIrPuheFxxY3P8OPNWmkTyLtAfQN/5zSwaig/fX4A+XqP 4z/TXdMMWVBrq5a4pH8vn8jwDeI4Q4dgpH7Nj4WlAQ3TUFssiEki5MPiCLU8R6/B xqvwVl4DqxERS1nUlB5TANTdyDYYTbpA4Tukr8qhQxXnbWD1VezeoE+WCZn+94jL bX1J86g2hJz8xBJWWfSHoSI2ncBzPUScSyJkGxSozBSbvcKzPumF3FGHcsoFIZwa KDRXALPsXm5t15EnY1Ylg/ILxIaZNygxyDGq6Ryu1giTjZEnCyFWwl5Vvjq+hewO ZqdNr3jnf8pQLsTdxcKT =siP7 -----END PGP SIGNATURE----- _______________________________________________ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedorapro...
infrastructure@lists.fedoraproject.org