Create our own firewalld zone and use it on real bare metal
Modifying the public zone is questionable, let's use our own zone. Also let's make sure network_interface actually belongs to it. Change-Id: I63f5fa4845aa8f1c90a0c73dd78deb45aaaa4fd1
This commit is contained in:
parent
feff8e9de8
commit
710e0db068
@ -62,8 +62,15 @@ For the machine that hosts Bifrost you'll need to figure out:
|
||||
|
||||
* The network interface you're going to use for communication between the bare
|
||||
metal machines and the Bifrost services.
|
||||
|
||||
On systems using firewalld (CentOS and RHEL currently), a new zone
|
||||
``bifrost`` will be created, and the network interface will be moved to it.
|
||||
DHCP, PXE and API services will only be added to this zone. If you need any
|
||||
of them available in other zones, you need to configure firewall yourself.
|
||||
|
||||
* Pool of IP addresses for DHCP (must be within the network configured on the
|
||||
chosen network interface).
|
||||
|
||||
* Whether you want the services to use authentication via Keystone_.
|
||||
|
||||
For each machine that is going to be enrolled in the Bare Metal service you'll
|
||||
|
@ -51,6 +51,8 @@ network_interface: "virbr0"
|
||||
ans_network_interface: "{{ network_interface | replace('-', '_') }}"
|
||||
internal_interface: "{{ hostvars[inventory_hostname]['ansible_' + ans_network_interface]['ipv4'] }}"
|
||||
internal_ip: "{{ internal_interface['address'] }}"
|
||||
# Our own firewalld zone, only applies when testing is false.
|
||||
firewalld_internal_zone: bifrost
|
||||
|
||||
# Normally this would setting would be http in a bifrost installation
|
||||
# without TLS. This setting allows a user to override the setting in case
|
||||
|
@ -22,23 +22,8 @@
|
||||
noauth_mode | bool == true and enable_keystone is defined and
|
||||
enable_keystone | bool == true
|
||||
|
||||
- block:
|
||||
- name: "Ask systemd to reload configuration"
|
||||
systemd:
|
||||
daemon_reload: yes
|
||||
|
||||
- name: "Enable firewalld"
|
||||
service:
|
||||
name: firewalld
|
||||
state: started
|
||||
enabled: yes
|
||||
|
||||
- name: "Disable iptables (if enabled)"
|
||||
service:
|
||||
name: iptables
|
||||
state: stopped
|
||||
enabled: no
|
||||
ignore_errors: true
|
||||
- name: "Setup firewalld"
|
||||
include_tasks: setup_firewalld.yml
|
||||
when: ansible_distribution in ["CentOS", "RedHat"]
|
||||
|
||||
# NOTE(sean-k-mooney) only the RabbitMQ server and MySQL db are started
|
||||
@ -367,7 +352,7 @@
|
||||
- name: "Enable services in firewalld"
|
||||
firewalld:
|
||||
service: "{{ item }}"
|
||||
zone: "{{ 'libvirt' if testing | bool else 'public' }}"
|
||||
zone: "{{ 'libvirt' if testing | bool else firewalld_internal_zone }}"
|
||||
state: enabled
|
||||
permanent: yes
|
||||
immediate: yes
|
||||
@ -380,7 +365,7 @@
|
||||
- name: "Enable ports in firewalld"
|
||||
firewalld:
|
||||
port: "{{ item }}/tcp"
|
||||
zone: "{{ 'libvirt' if testing | bool else 'public' }}"
|
||||
zone: "{{ 'libvirt' if testing | bool else firewalld_internal_zone }}"
|
||||
state: enabled
|
||||
permanent: yes
|
||||
immediate: yes
|
||||
|
@ -147,7 +147,7 @@
|
||||
- name: "Inspector - Enable port in firewalld"
|
||||
firewalld:
|
||||
port: "5050/tcp"
|
||||
zone: "{{ 'libvirt' if testing else 'public' }}"
|
||||
zone: "{{ 'libvirt' if testing | bool else firewalld_internal_zone }}"
|
||||
state: enabled
|
||||
permanent: yes
|
||||
immediate: yes
|
||||
|
@ -22,6 +22,10 @@
|
||||
name: "{{ required_packages }}"
|
||||
state: present
|
||||
|
||||
- name: "Ask systemd to reload configuration"
|
||||
systemd:
|
||||
daemon_reload: yes
|
||||
|
||||
# NOTE(TheJulia) While we don't necessarilly require /opt/stack any longer
|
||||
# and it should already be created by the Ansible setup, we will leave this
|
||||
# here for the time being.
|
||||
|
@ -0,0 +1,50 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
||||
# implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
---
|
||||
- name: "Enable firewalld"
|
||||
service:
|
||||
name: firewalld
|
||||
state: started
|
||||
enabled: yes
|
||||
|
||||
- name: "Disable iptables (if enabled)"
|
||||
service:
|
||||
name: iptables
|
||||
state: stopped
|
||||
enabled: no
|
||||
ignore_errors: true
|
||||
|
||||
- name: "Create a firewalld zone"
|
||||
firewalld:
|
||||
zone: "{{ firewalld_internal_zone }}"
|
||||
state: present
|
||||
permanent: yes
|
||||
register: new_zone_result
|
||||
when: not testing | bool
|
||||
|
||||
- name: "Reload firewalld if needed"
|
||||
service:
|
||||
name: firewalld
|
||||
state: reloaded
|
||||
when:
|
||||
- new_zone_result is defined
|
||||
- new_zone_result.changed
|
||||
|
||||
- name: "Add the network interface to the new zone"
|
||||
firewalld:
|
||||
zone: "{{ firewalld_internal_zone }}"
|
||||
interface: "{{ network_interface }}"
|
||||
state: enabled
|
||||
permanent: yes
|
||||
immediate: yes
|
||||
when: not testing | bool
|
11
releasenotes/notes/firewalld-zone-d8c72fb5924a4916.yaml
Normal file
11
releasenotes/notes/firewalld-zone-d8c72fb5924a4916.yaml
Normal file
@ -0,0 +1,11 @@
|
||||
---
|
||||
fixes:
|
||||
- |
|
||||
Instead of modifying the ``public`` firewalld zone, creates a new zone
|
||||
``bifrost`` and puts the ``network_interface`` in it. Set
|
||||
``firewalld_internal_zone=public`` to revert to the previous behavior.
|
||||
upgrade:
|
||||
- |
|
||||
Bifrost no longer adds ironic and ironic-inspector endpoints to the public
|
||||
firewalld zone, the operator has to do it explicitly if external access
|
||||
is expected.
|
Loading…
x
Reference in New Issue
Block a user