From a7f966b26e72e485d8200a31c0e38f72d77ad5b7 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Mon, 19 Mar 2018 15:49:43 +0100 Subject: [PATCH] handle the docker service restart after the iptables service one. --- iptables/handlers/main.yml | 4 - iptables/tasks/main.yml | 166 +++++++++++++++++++------------------ 2 files changed, 87 insertions(+), 83 deletions(-) diff --git a/iptables/handlers/main.yml b/iptables/handlers/main.yml index 72895169..34f67fe5 100644 --- a/iptables/handlers/main.yml +++ b/iptables/handlers/main.yml @@ -20,7 +20,3 @@ command: /etc/init.d/iptables-persistent stop ignore_errors: true -- name: Restart fail2ban - service: name=fail2ban state=restarted enabled=yes - when: has_fail2ban - diff --git a/iptables/tasks/main.yml b/iptables/tasks/main.yml index 861764d1..13d41cf3 100644 --- a/iptables/tasks/main.yml +++ b/iptables/tasks/main.yml @@ -1,91 +1,99 @@ --- -- name: Install the needed iptables packages - apt: pkg={{ item }} state=installed - with_items: - - iptables - - iptables-persistent - tags: iptables +- block: + - name: Install the needed iptables packages + apt: pkg={{ item }} state=installed + with_items: + - iptables + - iptables-persistent -- name: Create the /etc/iptables directory when needed - file: dest=/etc/iptables state=directory owner=root group=root mode=0755 - when: is_ubuntu_between_10_04_and_11_04_and_is_debian_6 - tags: iptables - -- name: Install the IPv4 rules with a different name. Needed by Ubuntu < 12.04 - template: src=iptables-{{ item }}.j2 dest=/etc/iptables/rules owner=root group=root mode=0640 - with_items: - - rules.v4 - when: is_ubuntu_between_10_04_and_11_04_and_is_debian_6 - notify: Start the iptables service on Ubuntu < 12.04 - tags: [ 'iptables', 'iptables_rules' ] + - name: Create the /etc/iptables directory when needed + file: dest=/etc/iptables state=directory owner=root group=root mode=0755 + when: is_ubuntu_between_10_04_and_11_04_and_is_debian_6 + + - name: Install the IPv4 rules with a different name. Needed by Ubuntu < 12.04 + template: src=iptables-{{ item }}.j2 dest=/etc/iptables/rules owner=root group=root mode=0640 + with_items: + - rules.v4 + when: is_ubuntu_between_10_04_and_11_04_and_is_debian_6 + notify: Start the iptables service on Ubuntu < 12.04 -- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On precise - template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640 - with_items: - - rules.v4 - - rules.v6 - when: is_precise - register: install_iptables_rules_precise - tags: [ 'iptables', 'iptables_rules' ] + - name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On precise + template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640 + with_items: + - rules.v4 + - rules.v6 + when: is_precise + register: install_iptables_rules_precise -- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On trusty - template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640 - with_items: - - rules.v4 - - rules.v6 - when: is_trusty - register: install_iptables_rules_trusty - tags: [ 'iptables', 'iptables_rules' ] + - name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On trusty + template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640 + with_items: + - rules.v4 + - rules.v6 + when: is_trusty + register: install_iptables_rules_trusty -- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On debian 7 - template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640 - with_items: - - rules.v4 - - rules.v6 - when: is_debian7 - register: install_iptables_rules_deb7 - tags: [ 'iptables', 'iptables_rules' ] + - name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On debian 7 + template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640 + with_items: + - rules.v4 + - rules.v6 + when: is_debian7 + register: install_iptables_rules_deb7 -- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On debian 8 - template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640 - with_items: - - rules.v4 - - rules.v6 - when: is_debian8 - register: install_netfilter_rules - tags: [ 'iptables', 'iptables_rules' ] + - name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On debian 8 + template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640 + with_items: + - rules.v4 + - rules.v6 + when: is_debian8 + register: install_netfilter_rules -- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On Ubuntu >= 16.04 - template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640 - with_items: - - rules.v4 - - rules.v6 - when: - - ansible_distribution == 'Ubuntu' - - ansible_distribution_major_version >= '16' - register: install_netfilter_rules - tags: [ 'iptables', 'iptables_rules' ] + - name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On Ubuntu >= 16.04 + template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640 + with_items: + - rules.v4 + - rules.v6 + when: + - ansible_distribution == 'Ubuntu' + - ansible_distribution_major_version >= '16' + register: install_netfilter_rules -- name: Start the iptables service immediately after the new rules have been installed, on Ubuntu precise. This can have an impact on other tasks - service: name=iptables-persistent state=restarted enabled=yes - notify: Restart fail2ban - when: ( install_iptables_rules_precise | changed ) - tags: [ 'iptables', 'iptables_rules' ] + - name: Start the iptables service immediately after the new rules have been installed, on Ubuntu precise. This can have an impact on other tasks + service: name=iptables-persistent state=restarted enabled=yes + register: restart_related + when: install_iptables_rules_precise is changed -- name: Start the iptables service immediately after the new rules have been installed, on Ubuntu Trusty. This can have an impact on other tasks - service: name=iptables-persistent state=restarted enabled=yes - notify: Restart fail2ban - when: ( install_iptables_rules_trusty | changed ) - tags: [ 'iptables', 'iptables_rules' ] + - name: Start the iptables service immediately after the new rules have been installed, on Ubuntu Trusty. This can have an impact on other tasks + service: name=iptables-persistent state=restarted enabled=yes + register: restart_related + when: install_iptables_rules_trusty is changed -- name: Start the iptables service immediately after the new rules have been installed, on Debian 7. This can have an impact on other tasks - service: name=iptables-persistent state=restarted enabled=yes - notify: Restart fail2ban - when: ( install_iptables_rules_deb7 | changed ) - tags: [ 'iptables', 'iptables_rules' ] + - name: Start the iptables service immediately after the new rules have been installed, on Debian 7. This can have an impact on other tasks + service: name=iptables-persistent state=restarted enabled=yes + register: restart_related + when: install_iptables_rules_deb7 is changed + + - name: Start the netfilter service immediately after the new rules have been installed. This can have an impact on other tasks + service: name=netfilter-persistent state=restarted enabled=yes + register: restart_related + when: install_netfilter_rules is changed + + - name: Restart fail2ban after an iptables restart + service: name=fail2ban state=restarted enabled=yes + when: + - has_fail2ban + - restart_related is changed + + - name: Check if the docker service is present + stat: path=/usr/bin/dockerd + register: dockerd_installed + when: restart_related is changed + + - name: Restart docker after an iptables restart + service: name=docker state=restarted enabled=yes + when: + - dockerd_installed.stat.exists + - restart_related is changed -- name: Start the netfilter service immediately after the new rules have been installed. This can have an impact on other tasks - service: name=netfilter-persistent state=restarted enabled=yes - notify: Restart fail2ban - when: ( install_netfilter_rules | changed ) tags: [ 'iptables', 'iptables_rules' ]