Ansible の 標準モジュールに良さげなモジュールがなかったんで、んじゃいっそ作ってみようかと。
ディレクトリ構造
├── README.md
├── ansible.cfg
├── block.yml
├── group_vars
│ └── main.yml
├── hosts
├── library
│ └── block_ip.sh
└── roles
└── block_ip
├── README.md
├── tasks
│ └── main.yml
└── vars
└── main.yml
モジュール
root@DESKTOP-MOGIJIA:/opt/playbook/ip_block# cat library/block_ip.sh
#!/bin/sh
source `dirname $0`/args
if [ $state == "absent" ] ; then
route del -host $target reject
if [ $? -eq 0 ] ; then
echo '{ "rc": 0, "changed": true }'
else
echo '{ "rc": 0 }'
fi
elif [ $state == "present" ] ; then
route add -host $target reject
if [ $? -eq 0 ] ; then
echo '{ "rc": 0, "changed": true }'
else
echo '{ "rc": 0 }'
fi
else
echo '{ "failed": true, "rc": 0 }'
filibrary ディレクトリ以下にモジュールを作成します。
それと、playbook の中で target (対象IPアドレス)、 state (状態)を定義できるようにしておきます。
Role
root@DESKTOP-MOGIJIA:/opt/playbook/ip_block# cat roles/block_ip/tasks/main.yml
---
# tasks file for block_ip
- name: block_ip
block_ip:
target: "{{ item }}"
state: absent
with_items:
- "{{ block_target }}"
- name: accept_ip
block_ip:
target: "{{ item }}"
state: absent
with_items:
- "{{ accept_target }}"「state」が「present」⇒アクセスを制限
「state」が「absent」⇒アクセス制限を解除
としておきます。
root@DESKTOP-MOGIJIA:/opt/playbook/ip_block# cat group_vars/main.yml
---
block_target:
- 192.168.99.99
- 192.168.99.98
- 192.168.99.97
- 192.168.99.96
- 192.168.99.95
- 192.168.99.94
- 192.168.99.93
- 192.168.99.00
accept_target:
- 127.0.0.1
playbook
root@DESKTOP-MOGIJIA:/opt/playbook/ip_block# cat block.yml
---
# Main Playbook
- name: apply master configuration to master nodes
hosts: all
vars_files:
- ./group_vars/main.yml
remote_user: vagrant
# remote_user: centos
become: yes
roles:
- block_ip
実行
root@DESKTOP-MOGIJIA:/opt/playbook/ip_block# ansible-playbook block.yml --ask-pass SSH password: PLAY [apply master configuration to master nodes] ********************************************************************** TASK [Gathering Facts] ************************************************************************************************* ok: [192.168.33.10] TASK [block_ip : block_ip] ********************************************************************************************* changed: [192.168.33.10] => (item=192.168.99.99) changed: [192.168.33.10] => (item=192.168.99.98) changed: [192.168.33.10] => (item=192.168.99.97) changed: [192.168.33.10] => (item=192.168.99.96) changed: [192.168.33.10] => (item=192.168.99.95) changed: [192.168.33.10] => (item=192.168.99.94) changed: [192.168.33.10] => (item=192.168.99.93) changed: [192.168.33.10] => (item=192.168.99.00) TASK [block_ip : accept_ip] ******************************************************************************************** ok: [192.168.33.10] => (item=127.0.0.1) PLAY RECAP ************************************************************************************************************* 192.168.33.10 : ok=3 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
結果
[root@ansible-dev ~]# ip route show default via 10.0.2.2 dev eth0 proto dhcp metric 100 10.0.2.0/24 dev eth0 proto kernel scope link src 10.0.2.15 metric 100 192.168.33.0/24 dev eth1 proto kernel scope link src 192.168.33.10 metric 101 unreachable 192.168.99.0 scope host unreachable 192.168.99.93 scope host unreachable 192.168.99.94 scope host unreachable 192.168.99.95 scope host unreachable 192.168.99.96 scope host unreachable 192.168.99.97 scope host unreachable 192.168.99.98 scope host unreachable 192.168.99.99 scope host 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
うん、大丈夫ですね。