Switch to firewalld for Fedora >= 32

Change-Id: If813c232d36365d43081598d21c7afe84adae62b
2020-10-28 14:44:04 +01:00 · 2020-10-28 14:44:04 +01:00 · 0463cd180d
commit 0463cd180d
parent 2e4d851272
6 changed files with 18 additions and 7 deletions
--- a/doc/source/install/index.rst
+++ b/doc/source/install/index.rst
@ -63,7 +63,7 @@ For the machine that hosts Bifrost you'll need to figure out:
 * The network interface you're going to use for communication between the bare
  metal machines and the Bifrost services.

-  On systems using firewalld (CentOS and RHEL currently), a new zone
+  On systems using firewalld (Fedora, CentOS and RHEL currently), a new zone
  ``bifrost`` will be created, and the network interface will be moved to it.
  DHCP, PXE and API services will only be added to this zone. If you need any
  of them available in other zones, you need to configure firewall yourself.
--- a/playbooks/roles/bifrost-ironic-install/defaults/main.yml
+++ b/playbooks/roles/bifrost-ironic-install/defaults/main.yml
@ -48,6 +48,12 @@ network_interface: "virbr0"
 ans_network_interface: "{{ network_interface | replace('-', '_') }}"
 internal_interface: "{{ hostvars[inventory_hostname]['ansible_' + ans_network_interface]['ipv4'] }}"
 internal_ip: "{{ internal_interface['address'] }}"
+
+# Fedora 30 did not use firewalld, 32 started relying on it.
+use_firewalld: >-
+  {{ ansible_distribution in ['RedHat', 'CentOS']
+     or (ansible_distribution == 'Fedora'
+         and ansible_distribution_major_version|int >= 32) }}
 # Our own firewalld zone, only applies when testing is false.
 firewalld_internal_zone: bifrost

--- a/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Fedora.yml
+++ b/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Fedora.yml
@ -8,6 +8,7 @@ mysql_service_name: mariadb
 tftp_service_name: tftp
 required_packages:
  - dnsmasq
+  - firewalld
  - gcc
  - genisoimage
  - httpd-tools
--- a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml
+++ b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml
@ -24,7 +24,7 @@

 - name: "Setup firewalld"
  include_tasks: setup_firewalld.yml
-  when: ansible_distribution in ["CentOS", "RedHat"]
+  when: use_firewalld | bool

 # NOTE(sean-k-mooney) only the MySQL database is started during bootstrapping.
 # All other services are started in the Start phase.
@ -345,7 +345,7 @@
  loop:
    - "{{ file_url_port }}"
    - 6385
-  when: ansible_distribution not in ["CentOS", "RedHat"]
+  when: not use_firewalld | bool

 - name: "Enable services in firewalld"
  firewalld:
@ -358,7 +358,7 @@
    - dhcp
    - dhcpv6
    - tftp
-  when: ansible_distribution in ["CentOS", "RedHat"]
+  when: use_firewalld | bool

 - name: "Enable ports in firewalld"
  firewalld:
@ -370,7 +370,7 @@
  loop:
    - "{{ file_url_port }}"
    - 6385
-  when: ansible_distribution in ["CentOS", "RedHat"]
+  when: use_firewalld | bool

 - block:
    - name: "Explicitly allow nginx and IPA port (TCP) on selinux"
--- a/playbooks/roles/bifrost-ironic-install/tasks/inspector_bootstrap.yml
+++ b/playbooks/roles/bifrost-ironic-install/tasks/inspector_bootstrap.yml
@ -151,7 +151,7 @@
    destination_port: 5050
    in_interface: "{{ network_interface }}"
    jump: ACCEPT
-  when: ansible_distribution not in ["CentOS", "RedHat"]
+  when: not use_firewalld | bool

 - name: "Inspector - Enable port in firewalld"
  firewalld:
@ -160,4 +160,4 @@
    state: enabled
    permanent: yes
    immediate: yes
-  when: ansible_distribution in ["CentOS", "RedHat"]
+  when: use_firewalld | bool
--- a/releasenotes/notes/fedora-firewalld-f8e2e15be5fe43fd.yaml
+++ b/releasenotes/notes/fedora-firewalld-f8e2e15be5fe43fd.yaml
@ -0,0 +1,4 @@
+---
+fixes:
+  - |
+    FirewallD is now used on Fedora 32 and newer to fix firewall issues.