From ece3cf9aa66e0974e7f30ffb5798b23c64fd04cc Mon Sep 17 00:00:00 2001
From: Russell Teague <rteague@redhat.com>
Date: Mon, 14 Aug 2017 15:25:28 -0400
Subject: Additional os_firewall role refactoring

* Remove openshift_facts dependency
* Move firewall initialization from std_include.yml to
openshift_cluster/config.yml

Installing firewall packages is only necessary during OpenShift
installation.
---
 roles/os_firewall/tasks/firewall/firewalld.yml | 51 -----------------------
 roles/os_firewall/tasks/firewall/iptables.yml  | 38 -----------------
 roles/os_firewall/tasks/firewalld.yml          | 57 ++++++++++++++++++++++++++
 roles/os_firewall/tasks/iptables.yml           | 41 ++++++++++++++++++
 roles/os_firewall/tasks/main.yml               | 25 +++++++----
 5 files changed, 114 insertions(+), 98 deletions(-)
 delete mode 100644 roles/os_firewall/tasks/firewall/firewalld.yml
 delete mode 100644 roles/os_firewall/tasks/firewall/iptables.yml
 create mode 100644 roles/os_firewall/tasks/firewalld.yml
 create mode 100644 roles/os_firewall/tasks/iptables.yml

(limited to 'roles/os_firewall/tasks')

diff --git a/roles/os_firewall/tasks/firewall/firewalld.yml b/roles/os_firewall/tasks/firewall/firewalld.yml
deleted file mode 100644
index 2cc7af478..000000000
--- a/roles/os_firewall/tasks/firewall/firewalld.yml
+++ /dev/null
@@ -1,51 +0,0 @@
----
-- name: Install firewalld packages
-  package:
-    name: firewalld
-    state: present
-
-- name: Ensure iptables services are not enabled
-  systemd:
-    name: "{{ item }}"
-    state: stopped
-    enabled: no
-    masked: yes
-  with_items:
-    - iptables
-    - ip6tables
-  register: task_result
-  failed_when: task_result|failed and 'could not' not in task_result.msg|lower
-
-- name: Wait 10 seconds after disabling iptables
-  pause:
-    seconds: 10
-  when: task_result | changed
-
-- name: Start and enable firewalld service
-  systemd:
-    name: firewalld
-    state: started
-    enabled: yes
-    masked: no
-    daemon_reload: yes
-  register: result
-
-- name: need to pause here, otherwise the firewalld service starting can sometimes cause ssh to fail
-  pause: seconds=10
-  when: result | changed
-
-- name: Restart polkitd
-  systemd:
-    name: polkit
-    state: restarted
-  when: result | changed
-
-# Fix suspected race between firewalld and polkit BZ1436964
-- name: Wait for polkit action to have been created
-  command: pkaction --action-id=org.fedoraproject.FirewallD1.config.info
-  ignore_errors: true
-  register: pkaction
-  changed_when: false
-  until: pkaction.rc == 0
-  retries: 6
-  delay: 10
diff --git a/roles/os_firewall/tasks/firewall/iptables.yml b/roles/os_firewall/tasks/firewall/iptables.yml
deleted file mode 100644
index 7e1fa2c02..000000000
--- a/roles/os_firewall/tasks/firewall/iptables.yml
+++ /dev/null
@@ -1,38 +0,0 @@
----
-
-- name: Ensure firewalld service is not enabled
-  systemd:
-    name: firewalld
-    state: stopped
-    enabled: no
-    masked: yes
-  register: task_result
-  failed_when: task_result|failed and 'could not' not in task_result.msg|lower
-
-- name: Wait 10 seconds after disabling firewalld
-  pause:
-    seconds: 10
-  when: task_result | changed
-
-- name: Install iptables packages
-  package: name={{ item }} state=present
-  with_items:
-    - iptables
-    - iptables-services
-  when: not openshift.common.is_atomic | bool
-
-- name: Start and enable iptables service
-  systemd:
-    name: iptables
-    state: started
-    enabled: yes
-    masked: no
-    daemon_reload: yes
-  register: result
-  delegate_to: "{{item}}"
-  run_once: true
-  with_items: "{{ ansible_play_hosts }}"
-
-- name: need to pause here, otherwise the iptables service starting can sometimes cause ssh to fail
-  pause: seconds=10
-  when: result | changed
diff --git a/roles/os_firewall/tasks/firewalld.yml b/roles/os_firewall/tasks/firewalld.yml
new file mode 100644
index 000000000..54430f402
--- /dev/null
+++ b/roles/os_firewall/tasks/firewalld.yml
@@ -0,0 +1,57 @@
+---
+- name: Fail - Firewalld is not supported on Atomic Host
+  fail:
+    msg: "Firewalld is not supported on Atomic Host"
+  when: r_os_firewall_is_atomic | bool
+
+- name: Install firewalld packages
+  package:
+    name: firewalld
+    state: present
+
+- name: Ensure iptables services are not enabled
+  systemd:
+    name: "{{ item }}"
+    state: stopped
+    enabled: no
+    masked: yes
+  with_items:
+    - iptables
+    - ip6tables
+  register: task_result
+  failed_when: task_result|failed and 'could not' not in task_result.msg|lower
+
+- name: Wait 10 seconds after disabling iptables
+  pause:
+    seconds: 10
+  when: task_result | changed
+
+- name: Start and enable firewalld service
+  systemd:
+    name: firewalld
+    state: started
+    enabled: yes
+    masked: no
+    daemon_reload: yes
+  register: result
+
+- name: need to pause here, otherwise the firewalld service starting can sometimes cause ssh to fail
+  pause:
+    seconds: 10
+  when: result | changed
+
+- name: Restart polkitd
+  systemd:
+    name: polkit
+    state: restarted
+  when: result | changed
+
+# Fix suspected race between firewalld and polkit BZ1436964
+- name: Wait for polkit action to have been created
+  command: pkaction --action-id=org.fedoraproject.FirewallD1.config.info
+  ignore_errors: true
+  register: pkaction
+  changed_when: false
+  until: pkaction.rc == 0
+  retries: 6
+  delay: 10
diff --git a/roles/os_firewall/tasks/iptables.yml b/roles/os_firewall/tasks/iptables.yml
new file mode 100644
index 000000000..0af5abf38
--- /dev/null
+++ b/roles/os_firewall/tasks/iptables.yml
@@ -0,0 +1,41 @@
+---
+
+- name: Ensure firewalld service is not enabled
+  systemd:
+    name: firewalld
+    state: stopped
+    enabled: no
+    masked: yes
+  register: task_result
+  failed_when: task_result|failed and 'could not' not in task_result.msg|lower
+
+- name: Wait 10 seconds after disabling firewalld
+  pause:
+    seconds: 10
+  when: task_result | changed
+
+- name: Install iptables packages
+  package:
+    name: "{{ item }}"
+    state: present
+  with_items:
+    - iptables
+    - iptables-services
+  when: not r_os_firewall_is_atomic | bool
+
+- name: Start and enable iptables service
+  systemd:
+    name: iptables
+    state: started
+    enabled: yes
+    masked: no
+    daemon_reload: yes
+  register: result
+  delegate_to: "{{item}}"
+  run_once: true
+  with_items: "{{ ansible_play_hosts }}"
+
+- name: need to pause here, otherwise the iptables service starting can sometimes cause ssh to fail
+  pause:
+    seconds: 10
+  when: result | changed
diff --git a/roles/os_firewall/tasks/main.yml b/roles/os_firewall/tasks/main.yml
index 20efe5b0d..c477d386c 100644
--- a/roles/os_firewall/tasks/main.yml
+++ b/roles/os_firewall/tasks/main.yml
@@ -1,12 +1,19 @@
 ---
-- name: Assert - Do not use firewalld on Atomic Host
-  assert:
-    that: not os_firewall_use_firewalld | bool
-    msg: "Firewalld is not supported on Atomic Host"
-  when: openshift.common.is_atomic | bool
+- name: Detecting Atomic Host Operating System
+  stat:
+    path: /run/ostree-booted
+  register: r_os_firewall_ostree_booted
 
-- include: firewall/firewalld.yml
-  when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
+- name: Set fact r_os_firewall_is_atomic
+  set_fact:
+    r_os_firewall_is_atomic: "{{ r_os_firewall_ostree_booted.stat.exists }}"
 
-- include: firewall/iptables.yml
-  when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool
+- include: firewalld.yml
+  when:
+  - os_firewall_enabled | bool
+  - os_firewall_use_firewalld | bool
+
+- include: iptables.yml
+  when:
+  - os_firewall_enabled | bool
+  - not os_firewall_use_firewalld | bool
-- 
cgit v1.2.3