playbook: Add special firewall configuration for slapos master

  The slapos master require that the machines access directly the apache instance on the backend,
  for authenticate the computers/software instances. This change is probably temporary considering
  that with causase this change might be dropped.

playbook/roles/standalone-shared/templates/request-slapos-master.j2

@@ -53,7 +53,7 @@ ca_path = '/etc/slapos-ssl'
 parameter_dict["shared-certificate-authority-path"] = ca_path 
 
 # Choose a title
-title = "instance-of-{{ playbook_name }}"
+title = "{{ backend_instance_reference }}"
 
 erp5_instance = request(software_url,
   title,

playbook/roles/standalone-shared/templates/setup-firewall-direct.j2

+#!/bin/bash
+export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+# This script is an workarround while slapos master cannot work without direct user connection
+# Once caucase is merged and used by the master the need of this workarround will be gone, and 
+# A better configuration can be proposes
+
+slap_ipv4=`/opt/slapos/parts/sqlite3/bin/sqlite3 /opt/slapos/slapproxy.db "select address from partition_network11 where partition_reference=(select reference from partition11 where requested_by = (select reference from partition11 where partition_reference='{{ backend_instance_reference }}')) and netmask='255.255.255.255';"`
+
+local_access_comment="Local {{ playbook_name }} IPv4 access"
+remote_access_comment="Remote {{ playbook_name }} IPv4 access"
+
+if [ ! -z "$slap_ipv4" ] ; then
+  local_count=`iptables -t nat -vnL | egrep "${local_access_comment}.*to:$slap_ipv4" | wc -l`
+  remote_count=`iptables -t nat -vnL | egrep "${remote_access_comment}.*to:$slap_ipv4" | wc -l`
+  if [ $local_count == "2" ] && [ $remote_count == "2" ] ; then
+    exit 0
+  fi
+  iptables -t nat -vnL PREROUTING | grep dpt:5443 | grep -q "${remote_access_comment}" && iptables -t nat -D PREROUTING `iptables -t nat -vnL PREROUTING --line-numbers | grep dpt:5443 | grep "${remote_access_comment}" | cut -d ' ' -f 1`
+  iptables -t nat -vnL OUTPUT | grep dpt:5443 | grep -q "${local_access_comment}" && iptables -t nat -D OUTPUT `iptables -t nat -vnL OUTPUT --line-numbers | grep dpt:5443 | grep "${local_access_comment}" | cut -d ' ' -f 1`
+  iptables -t nat -A OUTPUT -p tcp -d {{ ansible_default_ipv4.address }} --dport 5443 -j DNAT --to $frontend_ipv4:2157 -m comment --comment "${local_access_comment}"
+  iptables -t nat -A PREROUTING -p tcp -d {{ ansible_default_ipv4.address }} --dport 5443 -j DNAT --to-destination $frontend_ipv4:2157 -m comment --comment "${remote_access_comment}"
+fi

playbook/roles/standalone-shared/vars/main.yml

@@ -4,5 +4,6 @@ request_frontend_template: request-erp5-frontend.j2
 firewall_setup_template: setup-firewall.j2
 frontend_master_reference: master-frn-{{ playbook_name }}
 frontend_slave_reference: slave-srn-{{ playbook_name }}
+backend_instance_reference: instance-of-{{ playbook_name }}
 backend_url_path: /tmp/playbook-{{ playbook_name }}-backend-url
 public_ipv4_path: /tmp/playbook-{{ playbook_name }}-public_ipv4
\ No newline at end of file

playbook/slapos-master-standalone.yml

@@ -8,6 +8,8 @@
     startup_playbook_id: slapos-master-standalone.yml
     playbook_name: slapos-master
     request_instance_template: request-slapos-master.j2
+    request_frontend_template: request-slapos-master-frontend.j2
+    backend_instance_reference: instance-of-slapos-master
 
   pre_tasks:
 
@@ -16,3 +18,16 @@
   roles:
     - standalone-shared
     - { role: package, package_name: socat, package_state: present }
+
+  tasks:
+    - name: Create firewall script for slapos master
+      template: src=roles/standalone-shared/templates/setup-firewall-direct.j2 dest=/tmp/playbook-firewall-setup-{{ playbook_name }}-service mode=0700
+
+    - name: Setup firewall
+      cron:
+        cron_file=ansible-{{ playbook_name }}-service-firewall
+        user=root
+        name="Setup firewall SlapOS Master"
+        minute=*/5
+        job="/tmp/playbook-firewall-setup-{{ playbook_name }}-service > /dev/null 2>&1"
+