From 3f7bd34fc3401d379a387f17a316966662101a75 Mon Sep 17 00:00:00 2001
From: Simon Michnowicz <simon.michnowicz@monash.edu>
Date: Mon, 7 Sep 2020 20:09:53 +1000
Subject: [PATCH] Disable interface

---
 roles/disable_interface/README.md                | 11 +++++++++++
 roles/disable_interface/tasks/main.yml           | 16 ++++++++++++++++
 .../templates/disable_interface.service.j2       | 15 +++++++++++++++
 3 files changed, 42 insertions(+)
 create mode 100644 roles/disable_interface/README.md
 create mode 100644 roles/disable_interface/tasks/main.yml
 create mode 100644 roles/disable_interface/templates/disable_interface.service.j2

diff --git a/roles/disable_interface/README.md b/roles/disable_interface/README.md
new file mode 100644
index 00000000..73c3366b
--- /dev/null
+++ b/roles/disable_interface/README.md
@@ -0,0 +1,11 @@
+This role permanently turns off a network interface. This is needed for baremetal
+machines, which may have a management interface (i.e. e1p1) that needs to
+be disabled for security reasons. We use `ip link set <Name> down` to disable the interface.
+
+To survive a reboot, this role sets up a service file and enables it for starting upon an OS start.
+
+Usage
+ - {role: disable_interface, interface_name : "eth5" }
+ - {role: disable_interface  }
+
+{{ interface_name }} if not defined, defaults to "e1p1"
diff --git a/roles/disable_interface/tasks/main.yml b/roles/disable_interface/tasks/main.yml
new file mode 100644
index 00000000..e1c64451
--- /dev/null
+++ b/roles/disable_interface/tasks/main.yml
@@ -0,0 +1,16 @@
+---
+
+# This role adds a sytemd services file and enables it
+# It disables the {{ interface_name }} interface  (Management port) on Baremetal nodes
+- set_fact: interface_name="e1p1"
+  when: interface_name is undefined
+
+- name: Create service file for turning off interace name
+  template: src=disable_interface.service.j2 dest=/etc/systemd/system/disable_interface.service mode="u=rw,g=r,o=r"
+  become: true
+  become_user: root
+
+- name: enable and start device_off service
+  service: name=disable_interface.service state=started enabled=yes
+  become: true
+  become_user: root
diff --git a/roles/disable_interface/templates/disable_interface.service.j2 b/roles/disable_interface/templates/disable_interface.service.j2
new file mode 100644
index 00000000..8f858cd3
--- /dev/null
+++ b/roles/disable_interface/templates/disable_interface.service.j2
@@ -0,0 +1,15 @@
+[Unit]
+Description=Turn off {{ interface_name }} interface (management port)
+After=network.target network-online.target openibd.service
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/sbin/ip link set {{ interface_name }}  down
+#'ip link show {{ interface_name }} ' is either UP or DOWN
+
+[Install]
+WantedBy=multi-user.target
+WantedBy=final.target
+
-- 
GitLab