cerc-io
/
stack-orchestrator
mirror of https://github.com/cerc-io/stack-orchestrator
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity
stack-orchestrator/playbooks/ashburn-relay-check.yml

252 lines
7.4 KiB
YAML
Raw Normal View History

fix: inventory layering — playbooks use hosts:all, cross-inventory uses explicit hosts Normal playbooks should never hardcode hostnames — that's an inventory concern. Changed all playbooks to hosts:all. The one exception is ashburn-relay-check.yml which legitimately spans both inventories (switches + biscayne) and uses explicit hostnames. Also adds: - ashburn-relay-check.yml: full-path relay diagnostics (switches + host) - biscayne-start.yml: start kind container and scale validator to 1 - ashburn-relay-setup.sh.j2: boot persistence script for relay state - Direct device mounts replacing rbind (ZFS shared propagation fix) - systemd service replacing broken if-up.d/netfilter-persistent - PV mount path corrections (/mnt/validator-* not /mnt/solana/*) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-07 22:28:21 +00:00
---
# Ashburn relay health check — full path verification
#
# Cross-inventory playbook: checks was-sw01, mia-sw01, and biscayne.
# All tasks are read-only — safe to run at any time.
#
# Usage:
# ansible-playbook -i inventory-switches/switches.yml \
# -i inventory/biscayne.yml playbooks/ashburn-relay-check.yml
- name: Check was-sw01 relay config
hosts: was-sw01
gather_facts: false
vars:
ashburn_ip: 137.239.194.65
tasks:
- name: Check loopback interfaces
arista.eos.eos_command:
commands:
- show ip interface brief | include Loopback
register: was_loopbacks
changed_when: false
- name: Check route for ashburn IP
arista.eos.eos_command:
commands:
- "show ip route {{ ashburn_ip }}"
register: was_route
changed_when: false
- name: Check Et1/1 config
arista.eos.eos_command:
commands:
- show running-config interfaces Ethernet1/1
register: was_et1
changed_when: false
- name: Check traffic-policies
arista.eos.eos_command:
commands:
- "show running-config | section traffic-policy"
register: was_traffic_policy
changed_when: false
- name: Check system-rule
arista.eos.eos_command:
commands:
- "show running-config | include system-rule"
register: was_system_rule
changed_when: false
- name: Check monitor sessions
arista.eos.eos_command:
commands:
- show monitor session
register: was_monitor
changed_when: false
- name: Check backbone interface
arista.eos.eos_command:
commands:
- show interfaces Ethernet4/1 status
register: was_backbone
changed_when: false
- name: Show was-sw01 relay status
ansible.builtin.debug:
msg:
loopbacks: "{{ was_loopbacks.stdout_lines[0] }}"
route_to_ashburn_ip: "{{ was_route.stdout_lines[0] }}"
et1_config: "{{ was_et1.stdout_lines[0] }}"
traffic_policy: "{{ was_traffic_policy.stdout[0] | default('none') }}"
system_rule: "{{ was_system_rule.stdout[0] | default('none') }}"
monitor_sessions: "{{ was_monitor.stdout_lines[0] }}"
backbone: "{{ was_backbone.stdout_lines[0] }}"
- name: Check mia-sw01 relay config
hosts: mia-sw01
gather_facts: false
vars:
ashburn_ip: 137.239.194.65
tasks:
- name: Check tunnel interfaces
arista.eos.eos_command:
commands:
- show ip interface brief | include Tunnel
register: mia_tunnels
changed_when: false
- name: Check Tunnel100 config
arista.eos.eos_command:
commands:
- show running-config interfaces Tunnel100
register: mia_tunnel100
changed_when: false
- name: Check Tunnel100 ACL
arista.eos.eos_command:
commands:
- show ip access-lists SEC-VALIDATOR-100-IN
register: mia_acl
changed_when: false
- name: Check route for ashburn IP
arista.eos.eos_command:
commands:
- "show ip route {{ ashburn_ip }}"
register: mia_route
changed_when: false
- name: Check traffic-policies
arista.eos.eos_command:
commands:
- "show running-config | section traffic-policy"
register: mia_traffic_policy
changed_when: false
- name: Check system-rule
arista.eos.eos_command:
commands:
- "show running-config | include system-rule"
register: mia_system_rule
changed_when: false
- name: Check backbone interface
arista.eos.eos_command:
commands:
- show interfaces Ethernet4/1 status
register: mia_backbone
changed_when: false
- name: Show mia-sw01 relay status
ansible.builtin.debug:
msg:
tunnels: "{{ mia_tunnels.stdout_lines[0] }}"
tunnel100_config: "{{ mia_tunnel100.stdout_lines[0] }}"
tunnel100_acl: "{{ mia_acl.stdout_lines[0] }}"
route_to_ashburn_ip: "{{ mia_route.stdout_lines[0] }}"
traffic_policy: "{{ mia_traffic_policy.stdout[0] | default('none') }}"
system_rule: "{{ mia_system_rule.stdout[0] | default('none') }}"
backbone: "{{ mia_backbone.stdout_lines[0] }}"
- name: Check biscayne relay state
hosts: biscayne
gather_facts: false
vars:
ashburn_ip: 137.239.194.65
tunnel_device: gre-ashburn
tunnel_remote_ip: 169.254.100.0
tasks:
- name: Check GRE tunnel
ansible.builtin.shell:
cmd: >
set -o pipefail &&
ip tunnel show {{ tunnel_device }} 2>&1 || echo "tunnel not found"
executable: /bin/bash
register: biscayne_tunnel
changed_when: false
- name: Check loopback IP
ansible.builtin.shell:
cmd: >
set -o pipefail &&
ip addr show lo | grep '{{ ashburn_ip }}' || echo "not configured"
executable: /bin/bash
register: biscayne_lo
changed_when: false
- name: Check iptables DNAT rules
ansible.builtin.shell:
cmd: >
set -o pipefail &&
iptables -t nat -L PREROUTING -v -n | grep '{{ ashburn_ip }}'
|| echo "no DNAT rules"
executable: /bin/bash
register: biscayne_dnat
changed_when: false
become: true
- name: Check iptables mangle rules
ansible.builtin.shell:
cmd: >
set -o pipefail &&
iptables -t mangle -L PREROUTING -v -n | grep 'MARK'
|| echo "no mangle rules"
executable: /bin/bash
register: biscayne_mangle
changed_when: false
become: true
- name: Check iptables SNAT rule
ansible.builtin.shell:
cmd: >
set -o pipefail &&
iptables -t nat -L POSTROUTING -v -n | grep '{{ ashburn_ip }}'
|| echo "no SNAT rule"
executable: /bin/bash
register: biscayne_snat
changed_when: false
become: true
- name: Check policy routing
ansible.builtin.shell:
cmd: >
set -o pipefail &&
ip rule show | grep ashburn || echo "no policy rule"
executable: /bin/bash
register: biscayne_policy
changed_when: false
- name: Check ashburn routing table
ansible.builtin.shell:
cmd: >
set -o pipefail &&
ip route show table ashburn 2>&1 || echo "table not found"
executable: /bin/bash
register: biscayne_table
changed_when: false
- name: Check tunnel ping
ansible.builtin.command:
cmd: "ping -c 2 -W 2 {{ tunnel_remote_ip }}"
register: biscayne_ping
changed_when: false
failed_when: false
- name: Check ashburn-relay service
ansible.builtin.systemd:
name: ashburn-relay.service
register: biscayne_service
check_mode: true
failed_when: false
- name: Show biscayne relay status
ansible.builtin.debug:
msg:
gre_tunnel: "{{ biscayne_tunnel.stdout }}"
loopback_ip: "{{ biscayne_lo.stdout }}"
dnat_rules: "{{ biscayne_dnat.stdout_lines }}"
mangle_rules: "{{ biscayne_mangle.stdout_lines }}"
snat_rule: "{{ biscayne_snat.stdout_lines }}"
policy_routing: "{{ biscayne_policy.stdout }}"
routing_table: "{{ biscayne_table.stdout }}"
tunnel_ping: "{{ 'OK (' + biscayne_ping.stdout_lines[-1] + ')' if biscayne_ping.rc == 0 else 'FAILED' }}"
systemd_service: "{{ biscayne_service.status.ActiveState | default('not installed') }}"