From f0f2b812762c520d1325af7fb4f963fb70d7b635 Mon Sep 17 00:00:00 2001
From: Bogdan Dobrelya <bdobrelia@mirantis.com>
Date: Wed, 7 Dec 2016 12:45:15 +0100
Subject: [PATCH] Change GCE sysctls placement and docs

Override GCE sysctl in /etc/sysctl.d/99-sysctl.conf instead of
the /etc/sysctl.d/11-gce-network-security.conf. It is recreated
by GCE, f.e. if gcloud CLI invokes some security related changes,
thus losing customizations we want to be persistent.

Update cloud providers firewall requirements in calico docs.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
---
 docs/calico.md                             | 5 +++++
 roles/kubernetes/preinstall/tasks/main.yml | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/docs/calico.md b/docs/calico.md
index ab4211664..74df6d7e2 100644
--- a/docs/calico.md
+++ b/docs/calico.md
@@ -71,3 +71,8 @@ you'll need to edit the inventory and add a and a hostvar `local_as` by node.
 ```
 node1 ansible_ssh_host=95.54.0.12 local_as=xxxxxx
 ```
+
+Cloud providers configuration
+=============================
+
+Please refer to the official documentation, for example [GCE configuration](http://docs.projectcalico.org/v1.5/getting-started/docker/installation/gce) requires a security rule for calico ip-ip tunnels. Note, calico is always configured with ``ipip: true`` if the cloud provider was defined.
diff --git a/roles/kubernetes/preinstall/tasks/main.yml b/roles/kubernetes/preinstall/tasks/main.yml
index 9c7d34c27..901544ac2 100644
--- a/roles/kubernetes/preinstall/tasks/main.yml
+++ b/roles/kubernetes/preinstall/tasks/main.yml
@@ -71,7 +71,7 @@
 
 - name: Fix ipv4 forward rule in GCE security policy
   lineinfile:
-    dest: /etc/sysctl.d/11-gce-network-security.conf
+    dest: /etc/sysctl.d/99-sysctl.conf
     regexp: '^net.ipv4.ip_forward='
     line: 'net.ipv4.ip_forward=1'
     state: present
-- 
GitLab