From ece3cf9aa66e0974e7f30ffb5798b23c64fd04cc Mon Sep 17 00:00:00 2001 From: Russell Teague Date: Mon, 14 Aug 2017 15:25:28 -0400 Subject: Additional os_firewall role refactoring * Remove openshift_facts dependency * Move firewall initialization from std_include.yml to openshift_cluster/config.yml Installing firewall packages is only necessary during OpenShift installation. --- roles/os_firewall/tasks/firewall/firewalld.yml | 51 ----------------------- roles/os_firewall/tasks/firewall/iptables.yml | 38 ----------------- roles/os_firewall/tasks/firewalld.yml | 57 ++++++++++++++++++++++++++ roles/os_firewall/tasks/iptables.yml | 41 ++++++++++++++++++ roles/os_firewall/tasks/main.yml | 25 +++++++---- 5 files changed, 114 insertions(+), 98 deletions(-) delete mode 100644 roles/os_firewall/tasks/firewall/firewalld.yml delete mode 100644 roles/os_firewall/tasks/firewall/iptables.yml create mode 100644 roles/os_firewall/tasks/firewalld.yml create mode 100644 roles/os_firewall/tasks/iptables.yml (limited to 'roles/os_firewall/tasks') diff --git a/roles/os_firewall/tasks/firewall/firewalld.yml b/roles/os_firewall/tasks/firewall/firewalld.yml deleted file mode 100644 index 2cc7af478..000000000 --- a/roles/os_firewall/tasks/firewall/firewalld.yml +++ /dev/null @@ -1,51 +0,0 @@ ---- -- name: Install firewalld packages - package: - name: firewalld - state: present - -- name: Ensure iptables services are not enabled - systemd: - name: "{{ item }}" - state: stopped - enabled: no - masked: yes - with_items: - - iptables - - ip6tables - register: task_result - failed_when: task_result|failed and 'could not' not in task_result.msg|lower - -- name: Wait 10 seconds after disabling iptables - pause: - seconds: 10 - when: task_result | changed - -- name: Start and enable firewalld service - systemd: - name: firewalld - state: started - enabled: yes - masked: no - daemon_reload: yes - register: result - -- name: need to pause here, otherwise the firewalld service starting can sometimes cause ssh to fail - pause: seconds=10 - when: result | changed - -- name: Restart polkitd - systemd: - name: polkit - state: restarted - when: result | changed - -# Fix suspected race between firewalld and polkit BZ1436964 -- name: Wait for polkit action to have been created - command: pkaction --action-id=org.fedoraproject.FirewallD1.config.info - ignore_errors: true - register: pkaction - changed_when: false - until: pkaction.rc == 0 - retries: 6 - delay: 10 diff --git a/roles/os_firewall/tasks/firewall/iptables.yml b/roles/os_firewall/tasks/firewall/iptables.yml deleted file mode 100644 index 7e1fa2c02..000000000 --- a/roles/os_firewall/tasks/firewall/iptables.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- - -- name: Ensure firewalld service is not enabled - systemd: - name: firewalld - state: stopped - enabled: no - masked: yes - register: task_result - failed_when: task_result|failed and 'could not' not in task_result.msg|lower - -- name: Wait 10 seconds after disabling firewalld - pause: - seconds: 10 - when: task_result | changed - -- name: Install iptables packages - package: name={{ item }} state=present - with_items: - - iptables - - iptables-services - when: not openshift.common.is_atomic | bool - -- name: Start and enable iptables service - systemd: - name: iptables - state: started - enabled: yes - masked: no - daemon_reload: yes - register: result - delegate_to: "{{item}}" - run_once: true - with_items: "{{ ansible_play_hosts }}" - -- name: need to pause here, otherwise the iptables service starting can sometimes cause ssh to fail - pause: seconds=10 - when: result | changed diff --git a/roles/os_firewall/tasks/firewalld.yml b/roles/os_firewall/tasks/firewalld.yml new file mode 100644 index 000000000..54430f402 --- /dev/null +++ b/roles/os_firewall/tasks/firewalld.yml @@ -0,0 +1,57 @@ +--- +- name: Fail - Firewalld is not supported on Atomic Host + fail: + msg: "Firewalld is not supported on Atomic Host" + when: r_os_firewall_is_atomic | bool + +- name: Install firewalld packages + package: + name: firewalld + state: present + +- name: Ensure iptables services are not enabled + systemd: + name: "{{ item }}" + state: stopped + enabled: no + masked: yes + with_items: + - iptables + - ip6tables + register: task_result + failed_when: task_result|failed and 'could not' not in task_result.msg|lower + +- name: Wait 10 seconds after disabling iptables + pause: + seconds: 10 + when: task_result | changed + +- name: Start and enable firewalld service + systemd: + name: firewalld + state: started + enabled: yes + masked: no + daemon_reload: yes + register: result + +- name: need to pause here, otherwise the firewalld service starting can sometimes cause ssh to fail + pause: + seconds: 10 + when: result | changed + +- name: Restart polkitd + systemd: + name: polkit + state: restarted + when: result | changed + +# Fix suspected race between firewalld and polkit BZ1436964 +- name: Wait for polkit action to have been created + command: pkaction --action-id=org.fedoraproject.FirewallD1.config.info + ignore_errors: true + register: pkaction + changed_when: false + until: pkaction.rc == 0 + retries: 6 + delay: 10 diff --git a/roles/os_firewall/tasks/iptables.yml b/roles/os_firewall/tasks/iptables.yml new file mode 100644 index 000000000..0af5abf38 --- /dev/null +++ b/roles/os_firewall/tasks/iptables.yml @@ -0,0 +1,41 @@ +--- + +- name: Ensure firewalld service is not enabled + systemd: + name: firewalld + state: stopped + enabled: no + masked: yes + register: task_result + failed_when: task_result|failed and 'could not' not in task_result.msg|lower + +- name: Wait 10 seconds after disabling firewalld + pause: + seconds: 10 + when: task_result | changed + +- name: Install iptables packages + package: + name: "{{ item }}" + state: present + with_items: + - iptables + - iptables-services + when: not r_os_firewall_is_atomic | bool + +- name: Start and enable iptables service + systemd: + name: iptables + state: started + enabled: yes + masked: no + daemon_reload: yes + register: result + delegate_to: "{{item}}" + run_once: true + with_items: "{{ ansible_play_hosts }}" + +- name: need to pause here, otherwise the iptables service starting can sometimes cause ssh to fail + pause: + seconds: 10 + when: result | changed diff --git a/roles/os_firewall/tasks/main.yml b/roles/os_firewall/tasks/main.yml index 20efe5b0d..c477d386c 100644 --- a/roles/os_firewall/tasks/main.yml +++ b/roles/os_firewall/tasks/main.yml @@ -1,12 +1,19 @@ --- -- name: Assert - Do not use firewalld on Atomic Host - assert: - that: not os_firewall_use_firewalld | bool - msg: "Firewalld is not supported on Atomic Host" - when: openshift.common.is_atomic | bool +- name: Detecting Atomic Host Operating System + stat: + path: /run/ostree-booted + register: r_os_firewall_ostree_booted -- include: firewall/firewalld.yml - when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool +- name: Set fact r_os_firewall_is_atomic + set_fact: + r_os_firewall_is_atomic: "{{ r_os_firewall_ostree_booted.stat.exists }}" -- include: firewall/iptables.yml - when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool +- include: firewalld.yml + when: + - os_firewall_enabled | bool + - os_firewall_use_firewalld | bool + +- include: iptables.yml + when: + - os_firewall_enabled | bool + - not os_firewall_use_firewalld | bool -- cgit v1.2.3