diff --git a/doc/source/install/index.rst b/doc/source/install/index.rst index b1bccac62..67d3a59d9 100644 --- a/doc/source/install/index.rst +++ b/doc/source/install/index.rst @@ -63,7 +63,7 @@ For the machine that hosts Bifrost you'll need to figure out: * The network interface you're going to use for communication between the bare metal machines and the Bifrost services. - On systems using firewalld (CentOS and RHEL currently), a new zone + On systems using firewalld (Fedora, CentOS and RHEL currently), a new zone ``bifrost`` will be created, and the network interface will be moved to it. DHCP, PXE and API services will only be added to this zone. If you need any of them available in other zones, you need to configure firewall yourself. diff --git a/playbooks/roles/bifrost-ironic-install/defaults/main.yml b/playbooks/roles/bifrost-ironic-install/defaults/main.yml index 7798e994d..0fc79a519 100644 --- a/playbooks/roles/bifrost-ironic-install/defaults/main.yml +++ b/playbooks/roles/bifrost-ironic-install/defaults/main.yml @@ -48,6 +48,12 @@ network_interface: "virbr0" ans_network_interface: "{{ network_interface | replace('-', '_') }}" internal_interface: "{{ hostvars[inventory_hostname]['ansible_' + ans_network_interface]['ipv4'] }}" internal_ip: "{{ internal_interface['address'] }}" + +# Fedora 30 did not use firewalld, 32 started relying on it. +use_firewalld: >- + {{ ansible_distribution in ['RedHat', 'CentOS'] + or (ansible_distribution == 'Fedora' + and ansible_distribution_major_version|int >= 32) }} # Our own firewalld zone, only applies when testing is false. firewalld_internal_zone: bifrost diff --git a/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Fedora.yml b/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Fedora.yml index 3aace7171..298fb41bc 100644 --- a/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Fedora.yml +++ b/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Fedora.yml @@ -8,6 +8,7 @@ mysql_service_name: mariadb tftp_service_name: tftp required_packages: - dnsmasq + - firewalld - gcc - genisoimage - httpd-tools diff --git a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml index 6fcee7134..9582853aa 100644 --- a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml +++ b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml @@ -24,7 +24,7 @@ - name: "Setup firewalld" include_tasks: setup_firewalld.yml - when: ansible_distribution in ["CentOS", "RedHat"] + when: use_firewalld | bool # NOTE(sean-k-mooney) only the MySQL database is started during bootstrapping. # All other services are started in the Start phase. @@ -345,7 +345,7 @@ loop: - "{{ file_url_port }}" - 6385 - when: ansible_distribution not in ["CentOS", "RedHat"] + when: not use_firewalld | bool - name: "Enable services in firewalld" firewalld: @@ -358,7 +358,7 @@ - dhcp - dhcpv6 - tftp - when: ansible_distribution in ["CentOS", "RedHat"] + when: use_firewalld | bool - name: "Enable ports in firewalld" firewalld: @@ -370,7 +370,7 @@ loop: - "{{ file_url_port }}" - 6385 - when: ansible_distribution in ["CentOS", "RedHat"] + when: use_firewalld | bool - block: - name: "Explicitly allow nginx and IPA port (TCP) on selinux" diff --git a/playbooks/roles/bifrost-ironic-install/tasks/inspector_bootstrap.yml b/playbooks/roles/bifrost-ironic-install/tasks/inspector_bootstrap.yml index 3e15d3e47..c1c887e8c 100644 --- a/playbooks/roles/bifrost-ironic-install/tasks/inspector_bootstrap.yml +++ b/playbooks/roles/bifrost-ironic-install/tasks/inspector_bootstrap.yml @@ -151,7 +151,7 @@ destination_port: 5050 in_interface: "{{ network_interface }}" jump: ACCEPT - when: ansible_distribution not in ["CentOS", "RedHat"] + when: not use_firewalld | bool - name: "Inspector - Enable port in firewalld" firewalld: @@ -160,4 +160,4 @@ state: enabled permanent: yes immediate: yes - when: ansible_distribution in ["CentOS", "RedHat"] + when: use_firewalld | bool diff --git a/releasenotes/notes/fedora-firewalld-f8e2e15be5fe43fd.yaml b/releasenotes/notes/fedora-firewalld-f8e2e15be5fe43fd.yaml new file mode 100644 index 000000000..359006e6a --- /dev/null +++ b/releasenotes/notes/fedora-firewalld-f8e2e15be5fe43fd.yaml @@ -0,0 +1,4 @@ +--- +fixes: + - | + FirewallD is now used on Fedora 32 and newer to fix firewall issues.