{ "info": { "author": "Juan Antonio Osorio Robles", "author_email": "jaosorior@redhat.com", "bugtrack_url": null, "classifiers": [ "Intended Audience :: Developers", "Intended Audience :: System Administrators", "License :: OSI Approved :: GNU General Public License v3 (GPLv3)", "Operating System :: POSIX :: Linux" ], "description": "tripleo-ipsec\n=============\n\nAnsible role to configure IPSEC tunnels for TripleO\n\n* This sets up packages and firewall settings.\n\n* Sets the configuration for the IPSEC tunnels in the overcloud nodes.\n\n* Parses the given configuration file and starts the IPSEC tunnels.\n\nIn a final step, when pacemaker is enabled, it enables resource agents for each\nVirtual IP which puts up/tears down IPSEC tunnels depending on the VIP\nlocation.\n\nNote that as of the latest code, this now relies on the usage of TripleO's\ndynamic inventory. This means that it expects the inventory to tell the role\nwhich networks are being set and which IPs do the hosts have. If the relevant\nvariables don't come from the inventory, the role will attempt to use the legacy\nsetup which autodiscovers these. However, this setup is not very reliable if\nyou're using custom networks.\n\nRole Variables\n--------------\n\n* `ipsec_psk`: the Pre-Shared Key to be used for the IPSEC tunnels.\n Note that is is sensible information and it's recommended that it's stored\n securely on the host where the playbook runs from, e.g. using Ansible Vault.\n One can generate this variable with the following command:\n `openssl rand -base64 48`\n* `ipsec_algorithm`: Defines the encryption algorithm to use in the phase2alg\n configuration option for the tunnels. Defaults to: `aes_gcm128-null`.\n The possible values should be checked in libreswan's documentation.\n* `ipsec_configure_vips`: Determines whether or not the role should configure\n the tunnels for the VIPs. Defaults to: `true`.\n* `ipsec_skip_firewall_rules`: Determines whether the role should skip\n or not the firewall rules. Defaults to: `false`.\n* `ipsec_uninstall_tunnels`: Determines whether the role should remove the IPSEC\n tunnels that were previously set. Defaults to: `false`.\n* `ipsec_upgrade_tunnels`: Determines whether the role should upgrade the IPSEC\n tunnels that were previously set. This means it'll remove all the tunnels\n created in a previous run and replace them. Defaults to: `false`.\n* `ipsec_setup_resource_agents`: Determines whether the role should create the\n pacemaker resource agents or not. Defaults to: `true`.\n* `ipsec_skip_networks`: Determines which networks should be skipped. defaults to `[]`.\n* `ipsec_force_install_legacy`: Forces the legacy installation. Defaults to: `false`.\n* `overcloud_controller_identifier`: This identifies which nodes are\n controllers in the cluster and which aren't, and should be part of the\n hostname of the controller. Defaults to: 'controller'. It's highly\n recommended that there's a way to explicitly identify the nodes this way.\n Note that this is only used in the legacy setup.\n\nExample Playbook\n----------------\n\nSample::\n\n - hosts: servers\n roles:\n - tripleo-ipsec\n\nEnabling ipsec tunnels in TripleO\n=================================\n\nThe main playbook to be ran on the overcloud nodes is::\n\n tests/deploy-ipsec-tripleo.yml\n\nWhich will deploy IPSEC on the overcloud nodes for the internal API network.\n\nWe'll use a PSK and an AES128 cipher.\n\nAdd the PSK to an ansible var file::\n\n cat < ipsec-psk.yml\n ipsec_psk: $(openssl rand -base64 48)\n EOF\n\nEncrypt the file with ansible-vault (note that it'll prompt for a password):\n\n ansible-vault encrypt ipsec-psk.yml\n\nHaving done this, now you can run the playbook::\n\n ansible-playbook -i /usr/bin/tripleo-ansible-inventory --ask-vault-pass \\\n -e @ipsec-psk.yml tests/deploy-ipsec-tripleo.yml\n\nGenerating an inventory\n-----------------------\n\nThe script */usr/bin/tripleo-ansible-inventory* generates a dynamic inventory\nwith the nodes in the overcloud. And However it comes with some inconveniences:\n\n* In deployments older than Pike, it might be a bit slow to run. To address\n this, in Ocata and Pike it's possible to generate a static inventory out of\n the output of this command::\n\n /usr/bin/tripleo-ansible-inventory --static-inventory nodes.txt\n\n This will create a called nodes.txt with the static inventory, which we could\n now use and save some time.\n\n* Newton unfortunately only takes into account computes and controllers with\n this command. So for this deployment we need to generate an inventory of our\n own. we can do so with the following command::\n\n cat < nodes.txt\n [undercloud]\n localhost\n\n [undercloud:vars]\n ansible_connection = local\n\n [overcloud:vars]\n ansible_ssh_user = heat-admin\n\n [overcloud]\n $( openstack server list -c Networks -f value | sed 's/ctlplane=//')\n EOF\n\n This assumes that you're deploying this playbook from the undercloud itself.\n Hence the undercloud group containing localhost.\n\nSkipping networks\n=================\n\nThe `ipsec_skip_networks` variable allows the user to skip the tunnel setup\nfor certain networks. This works by using the network name, which can vary\ndepending on your type of setup.\n\nUsing the dynamic inventory (Queens and beyond)\n-----------------------------------------------\n\nWhen using the dynamic inventory, the network names will be based on the names\nthat are set in your `network_data.yaml` file, from tripleo-heat-templates.\nAs mentioned in tripleo-heat-templates, this file will determine which networks\nyou're setting up in your overall TripleO deployment, and will even specify\nwhich of those networks have VIPs attached to them.\n\nThe network names to use in the `ipsec_skip_networks` variable will be under\nthe `name_lower` section of each network definition.\n\nFor instance, if you want to skip the storage management network, you'll see\nthat the entry looks as follows::\n\n - name: StorageMgmt\n name_lower: storage_mgmt\n vip: true\n vlan: 40\n ip_subnet: '172.16.3.0/24'\n allocation_pools: [{'start': '172.16.3.4', 'end': '172.16.3.250'}]\n ipv6_subnet: 'fd00:fd00:fd00:4000::/64'\n ipv6_allocation_pools: [{'start': 'fd00:fd00:fd00:4000::10', 'end': 'fd00:fd00:fd00:4000:ffff:ffff:ffff:fffe'}]\n\nSo, in this case, the variable you'll put in your ansible variables file will\nhave the following entry::\n\n ipsec_skip_networks:\n - storage_mgmt\n\nYou can add more networks by adding more items to that list.\n\nLegacy setups\n-------------\n\nIf you're using a legacy setup (which would work in Newton), you'll need to\nnote that the network names are hardcoded; so you'll have the following\noptions available:\n\n* internalapi\n* storage\n* storagemgmt\n* ctlplane\n\nYou can also explicitly skip creating the Redis VIP by adding the `redis` word\nto the list.\n\nIf you would want to skip the Storage and Storage Management networks, the\nvariable you'll put in your ansible variables file will have the\nfollowing entry::\n\n ipsec_skip_networks:\n - storage\n - storagemgmt\n\n\n\n", "description_content_type": "", "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://opendev.org/openstack/tripleo-ipsec", "keywords": "", "license": "", "maintainer": "", "maintainer_email": "", "name": "tripleo-ipsec", "package_url": "https://pypi.org/project/tripleo-ipsec/", "platform": "", "project_url": "https://pypi.org/project/tripleo-ipsec/", "project_urls": { "Homepage": "https://opendev.org/openstack/tripleo-ipsec" }, "release_url": "https://pypi.org/project/tripleo-ipsec/9.2.0/", "requires_dist": null, "requires_python": "", "summary": "Ansible role for managing TripleO's IPSEC tunnels", "version": "9.2.0" }, "last_serial": 5590182, "releases": { "0.0.1.dev95": [ { "comment_text": "", "digests": { "md5": "e3763238c522cf3100b2b225b20c44ff", "sha256": "5d568751e4f785ddc8e97339a45e0564fd903cbba3723b470fcd63b1323a13c0" }, "downloads": -1, "filename": "tripleo_ipsec-0.0.1.dev95-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "e3763238c522cf3100b2b225b20c44ff", "packagetype": "bdist_wheel", "python_version": "py2.py3", "requires_python": null, "size": 5469, "upload_time": "2017-11-27T13:26:15", "url": "https://files.pythonhosted.org/packages/cb/d1/5c4fa012aa45ce6b26de8e81f8c675a8a397ac1822c210b7cf4f0378ed2c/tripleo_ipsec-0.0.1.dev95-py2.py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "5498be8b1a814818ed3dedb9892b3f1d", "sha256": "76dfa593d963188b0810230c996bcf3352c4ed8b9f96ec1ab13817b47becf256" }, "downloads": -1, "filename": "tripleo-ipsec-0.0.1.dev95.tar.gz", "has_sig": false, "md5_digest": "5498be8b1a814818ed3dedb9892b3f1d", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 27917, "upload_time": "2017-11-27T13:26:17", "url": "https://files.pythonhosted.org/packages/b8/65/c3cd0b8835615607a022138fc4c584a5edebc3c2b99de0c6cd6175087b11/tripleo-ipsec-0.0.1.dev95.tar.gz" } ], "8.0.1": [ { "comment_text": "", "digests": { "md5": "15daa6ab2e6dcb435b015283dd255ed3", "sha256": "740c6ce1424a6d5723a22580258ea6ec0254e76249510e3256cf7e0299b66030" }, "downloads": -1, "filename": "tripleo_ipsec-8.0.1-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "15daa6ab2e6dcb435b015283dd255ed3", "packagetype": "bdist_wheel", "python_version": "py2.py3", "requires_python": null, "size": 25183, "upload_time": "2018-01-30T23:12:30", "url": "https://files.pythonhosted.org/packages/d4/76/5d73ee1ae8b827b3cd253ea79993886f0b086787719fb4fda86aa92fef93/tripleo_ipsec-8.0.1-py2.py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "32ac59f3bf9af58f2ce5670f8fc6a02e", "sha256": "740c38db0e29a90ec1247be56189bbc3dd482e56f3606104c7507eab42877ed4" }, "downloads": -1, "filename": "tripleo-ipsec-8.0.1.tar.gz", "has_sig": false, "md5_digest": "32ac59f3bf9af58f2ce5670f8fc6a02e", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 29403, "upload_time": "2018-01-30T23:12:33", "url": "https://files.pythonhosted.org/packages/2f/4c/6698dead031e02dea4749cac1fc6a5ed92871d432544c58d1db544672ec2/tripleo-ipsec-8.0.1.tar.gz" } ], "8.0.2": [ { "comment_text": "", "digests": { "md5": "2658cf3f41079387b54532ec8883e46e", "sha256": "e8282f8bd8c395143106c36a0f219466e46797826ce364f7d1f88172f8b77f01" }, "downloads": -1, "filename": "tripleo_ipsec-8.0.2-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "2658cf3f41079387b54532ec8883e46e", "packagetype": "bdist_wheel", "python_version": "py2.py3", "requires_python": null, "size": 25281, "upload_time": "2018-02-22T15:25:48", "url": "https://files.pythonhosted.org/packages/47/3d/ec63436553605c11604461e66538336b1527649abe62b3430f01450fcd6a/tripleo_ipsec-8.0.2-py2.py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "bdbb2fa3ac922f7b62f0dd29e54d58a5", "sha256": "c8fec58fb1db3c9059632e89273dd930eb68e68896c29dffa90e9fae7e1ea834" }, "downloads": -1, "filename": "tripleo-ipsec-8.0.2.tar.gz", "has_sig": false, "md5_digest": "bdbb2fa3ac922f7b62f0dd29e54d58a5", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 27713, "upload_time": "2018-02-22T15:25:52", "url": "https://files.pythonhosted.org/packages/cf/7a/33ed42fbff200e6481cd76365c6621867ac98e9e7aabaad1608476993e0b/tripleo-ipsec-8.0.2.tar.gz" } ], "8.1.0": [ { "comment_text": "", "digests": { "md5": "11cad92949594efdec21856a83c2641c", "sha256": "7224868a9ecb891601245a856455f7f7a7932173a8bcbb4140b7984bb89e276a" }, "downloads": -1, "filename": "tripleo_ipsec-8.1.0-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "11cad92949594efdec21856a83c2641c", "packagetype": "bdist_wheel", "python_version": "py2.py3", "requires_python": null, "size": 25581, "upload_time": "2018-03-03T11:54:54", "url": "https://files.pythonhosted.org/packages/cd/aa/5a5522ea86ade0d0a6ed692457cecbf9e0c75fca1a4be8291cd992228c93/tripleo_ipsec-8.1.0-py2.py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "34daa0824bfb3bdd984662e43d3306a7", "sha256": "fa6c9944e18126c99933021006fe7cdcb20f6ca292c192121cf842763a5ef820" }, "downloads": -1, "filename": "tripleo-ipsec-8.1.0.tar.gz", "has_sig": false, "md5_digest": "34daa0824bfb3bdd984662e43d3306a7", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 28163, "upload_time": "2018-03-03T11:54:57", "url": "https://files.pythonhosted.org/packages/31/9d/16de912d7ca2c24eb1cd27768f50a2cf5bab271a4667d34a557949ad95e0/tripleo-ipsec-8.1.0.tar.gz" } ], "9.0.0": [ { "comment_text": "", "digests": { "md5": "801977b644a0c54016bf0095b073bffd", "sha256": "ed6befa7283dd6ad286c8d6098e116165722f46cb1dba14365ebb0c737a12577" }, "downloads": -1, "filename": "tripleo_ipsec-9.0.0-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "801977b644a0c54016bf0095b073bffd", "packagetype": "bdist_wheel", "python_version": "py2.py3", "requires_python": null, "size": 24176, "upload_time": "2018-04-19T13:42:42", "url": "https://files.pythonhosted.org/packages/46/23/6f04a400a1247014728666b9b4f75ad9f714a7bd9f576b7b483df4a8b4ea/tripleo_ipsec-9.0.0-py2.py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "b6c70d2b7f4c8384bfec1a23f019d18a", "sha256": "dfebe2b86199a70bcaa2ef7baa3c3ba3983de71ffc4704baaff2982b619ab3fa" }, "downloads": -1, "filename": "tripleo-ipsec-9.0.0.tar.gz", "has_sig": false, "md5_digest": "b6c70d2b7f4c8384bfec1a23f019d18a", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 31998, "upload_time": "2018-04-19T13:42:46", "url": "https://files.pythonhosted.org/packages/9b/72/f8cb0ff96c9b40249f624db1f48e20d43286cc6f9d85713915960a88587c/tripleo-ipsec-9.0.0.tar.gz" } ], "9.1.0": [ { "comment_text": "", "digests": { "md5": "3c6509ca35c3024925df8705f9578a4e", "sha256": "92f619ad452e7182146e43e361ef11876eb4bd4eb6843180646531838d819350" }, "downloads": -1, "filename": "tripleo_ipsec-9.1.0-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "3c6509ca35c3024925df8705f9578a4e", "packagetype": "bdist_wheel", "python_version": "py2.py3", "requires_python": null, "size": 36853, "upload_time": "2019-02-22T14:00:46", "url": "https://files.pythonhosted.org/packages/0a/51/7b4da67bc24185f493236c2b97af0e3ea8bab059a3315b665943de33bee3/tripleo_ipsec-9.1.0-py2.py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "5a379164f7d546b213cd13c1ac9b04a8", "sha256": "8c1f07a7046a17d61794e0150c24355d84cd35a22dcfde15505cccb75cdb53d5" }, "downloads": -1, "filename": "tripleo-ipsec-9.1.0.tar.gz", "has_sig": false, "md5_digest": "5a379164f7d546b213cd13c1ac9b04a8", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 31035, "upload_time": "2019-02-22T14:00:50", "url": "https://files.pythonhosted.org/packages/5f/70/396bbe8c4e863808f6dcffa9ac364d401e9927e9214a1973ea29a88c4e1c/tripleo-ipsec-9.1.0.tar.gz" } ], "9.2.0": [ { "comment_text": "", "digests": { "md5": "3d6d08b8fb825acf228fb3286b75fe97", "sha256": "c55bea5c1befb93a1dcafe0ed1a15c22dfa9a74a6af043d7df6c2c74b1972ee0" }, "downloads": -1, "filename": "tripleo_ipsec-9.2.0-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "3d6d08b8fb825acf228fb3286b75fe97", "packagetype": "bdist_wheel", "python_version": "py2.py3", "requires_python": null, "size": 36924, "upload_time": "2019-07-26T18:20:31", "url": "https://files.pythonhosted.org/packages/e5/d1/b8a2b7f726fc2eff009269e3022a93db66017df1d36473e5cf3a392b7479/tripleo_ipsec-9.2.0-py2.py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "9c3159d058a293f26e65655573940ef0", "sha256": "6144d32883b670f0f39993fe1719a98622328ce8a1686f57b25671b6f580b09a" }, "downloads": -1, "filename": "tripleo-ipsec-9.2.0.tar.gz", "has_sig": false, "md5_digest": "9c3159d058a293f26e65655573940ef0", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 32091, "upload_time": "2019-07-26T18:20:35", "url": "https://files.pythonhosted.org/packages/30/78/203b11f82f2e7111e33d9ba5722a1ec02adadba44e3ea9bd82bcac0d9a2d/tripleo-ipsec-9.2.0.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "3d6d08b8fb825acf228fb3286b75fe97", "sha256": "c55bea5c1befb93a1dcafe0ed1a15c22dfa9a74a6af043d7df6c2c74b1972ee0" }, "downloads": -1, "filename": "tripleo_ipsec-9.2.0-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "3d6d08b8fb825acf228fb3286b75fe97", "packagetype": "bdist_wheel", "python_version": "py2.py3", "requires_python": null, "size": 36924, "upload_time": "2019-07-26T18:20:31", "url": "https://files.pythonhosted.org/packages/e5/d1/b8a2b7f726fc2eff009269e3022a93db66017df1d36473e5cf3a392b7479/tripleo_ipsec-9.2.0-py2.py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "9c3159d058a293f26e65655573940ef0", "sha256": "6144d32883b670f0f39993fe1719a98622328ce8a1686f57b25671b6f580b09a" }, "downloads": -1, "filename": "tripleo-ipsec-9.2.0.tar.gz", "has_sig": false, "md5_digest": "9c3159d058a293f26e65655573940ef0", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 32091, "upload_time": "2019-07-26T18:20:35", "url": "https://files.pythonhosted.org/packages/30/78/203b11f82f2e7111e33d9ba5722a1ec02adadba44e3ea9bd82bcac0d9a2d/tripleo-ipsec-9.2.0.tar.gz" } ] }