Disable interface

3f7bd34f · Simon Michnowicz · Andreas Hamacher · df98aeff · 3f7bd34f · 3f7bd34f
Commit 3f7bd34f authored 4 years ago by Simon Michnowicz Committed by Andreas Hamacher 4 years ago
--- a/roles/disable_interface/README.md
+++ b/roles/disable_interface/README.md
+This role permanently turns off a network interface. This is needed for baremetal
+machines, which may have a management interface (i.e. e1p1) that needs to
+be disabled for security reasons. We use `ip link set <Name> down` to disable the interface.
+
+To survive a reboot, this role sets up a service file and enables it for starting upon an OS start.
+
+Usage
+ - {role: disable_interface, interface_name : "eth5" }
+ - {role: disable_interface  }
+
+{{ interface_name }} if not defined, defaults to "e1p1"
--- a/roles/disable_interface/tasks/main.yml
+++ b/roles/disable_interface/tasks/main.yml
+---
+
+# This role adds a sytemd services file and enables it
+# It disables the {{ interface_name }} interface  (Management port) on Baremetal nodes
+- set_fact: interface_name="e1p1"
+  when: interface_name is undefined
+
+- name: Create service file for turning off interace name
+  template: src=disable_interface.service.j2 dest=/etc/systemd/system/disable_interface.service mode="u=rw,g=r,o=r"
+  become: true
+  become_user: root
+
+- name: enable and start device_off service
+  service: name=disable_interface.service state=started enabled=yes
+  become: true
+  become_user: root
--- a/roles/disable_interface/templates/disable_interface.service.j2
+++ b/roles/disable_interface/templates/disable_interface.service.j2
+[Unit]
+Description=Turn off {{ interface_name }} interface (management port)
+After=network.target network-online.target openibd.service
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/sbin/ip link set {{ interface_name }}  down
+#'ip link show {{ interface_name }} ' is either UP or DOWN
+
+[Install]
+WantedBy=multi-user.target
+WantedBy=final.target
+