Create our own firewalld zone and use it on real bare metal

Modifying the public zone is questionable, let's use our own zone.
Also let's make sure network_interface actually belongs to it.

Change-Id: I63f5fa4845aa8f1c90a0c73dd78deb45aaaa4fd1

doc/source/install/index.rst

@@ -62,8 +62,15 @@ For the machine that hosts Bifrost you'll need to figure out:
 
 * The network interface you're going to use for communication between the bare
   metal machines and the Bifrost services.
+
+  On systems using firewalld (CentOS and RHEL currently), a new zone
+  ``bifrost`` will be created, and the network interface will be moved to it.
+  DHCP, PXE and API services will only be added to this zone. If you need any
+  of them available in other zones, you need to configure firewall yourself.
+
 * Pool of IP addresses for DHCP (must be within the network configured on the
   chosen network interface).
+
 * Whether you want the services to use authentication via Keystone_.
 
 For each machine that is going to be enrolled in the Bare Metal service you'll

playbooks/roles/bifrost-ironic-install/defaults/main.yml

@@ -51,6 +51,8 @@ network_interface: "virbr0"
 ans_network_interface: "{{ network_interface | replace('-', '_') }}"
 internal_interface: "{{ hostvars[inventory_hostname]['ansible_' + ans_network_interface]['ipv4'] }}"
 internal_ip: "{{ internal_interface['address'] }}"
+# Our own firewalld zone, only applies when testing is false.
+firewalld_internal_zone: bifrost
 
 # Normally this would setting would be http in a bifrost installation
 # without TLS. This setting allows a user to override the setting in case

playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml

@@ -22,23 +22,8 @@
     noauth_mode | bool == true and enable_keystone is defined and
     enable_keystone | bool == true
 
-- block:
+- name: "Setup firewalld"
-    - name: "Ask systemd to reload configuration"
+  include_tasks: setup_firewalld.yml
-      systemd:
-        daemon_reload: yes
-
-    - name: "Enable firewalld"
-      service:
-        name: firewalld
-        state: started
-        enabled: yes
-
-    - name: "Disable iptables (if enabled)"
-      service:
-        name: iptables
-        state: stopped
-        enabled: no
-      ignore_errors: true
   when: ansible_distribution in ["CentOS", "RedHat"]
 
 # NOTE(sean-k-mooney) only the RabbitMQ server and MySQL db are started
@@ -367,7 +352,7 @@
 - name: "Enable services in firewalld"
   firewalld:
     service: "{{ item }}"
-    zone: "{{ 'libvirt' if testing | bool else 'public' }}"
+    zone: "{{ 'libvirt' if testing | bool else firewalld_internal_zone }}"
     state: enabled
     permanent: yes
     immediate: yes
@@ -380,7 +365,7 @@
 - name: "Enable ports in firewalld"
   firewalld:
     port: "{{ item }}/tcp"
-    zone: "{{ 'libvirt' if testing | bool else 'public' }}"
+    zone: "{{ 'libvirt' if testing | bool else firewalld_internal_zone }}"
     state: enabled
     permanent: yes
     immediate: yes

playbooks/roles/bifrost-ironic-install/tasks/inspector_bootstrap.yml

@@ -147,7 +147,7 @@
 - name: "Inspector - Enable port in firewalld"
   firewalld:
     port: "5050/tcp"
-    zone: "{{ 'libvirt' if testing else 'public' }}"
+    zone: "{{ 'libvirt' if testing | bool else firewalld_internal_zone }}"
     state: enabled
     permanent: yes
     immediate: yes

playbooks/roles/bifrost-ironic-install/tasks/install.yml

@@ -22,6 +22,10 @@
     name: "{{ required_packages }}"
     state: present
 
+- name: "Ask systemd to reload configuration"
+  systemd:
+    daemon_reload: yes
+
 # NOTE(TheJulia) While we don't necessarilly require /opt/stack any longer
 # and it should already be created by the Ansible setup, we will leave this
 # here for the time being.

playbooks/roles/bifrost-ironic-install/tasks/setup_firewalld.yml

@@ -0,0 +1,50 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+- name: "Enable firewalld"
+  service:
+    name: firewalld
+    state: started
+    enabled: yes
+
+- name: "Disable iptables (if enabled)"
+  service:
+    name: iptables
+    state: stopped
+    enabled: no
+  ignore_errors: true
+
+- name: "Create a firewalld zone"
+  firewalld:
+    zone: "{{ firewalld_internal_zone }}"
+    state: present
+    permanent: yes
+  register: new_zone_result
+  when: not testing | bool
+
+- name: "Reload firewalld if needed"
+  service:
+    name: firewalld
+    state: reloaded
+  when:
+    - new_zone_result is defined
+    - new_zone_result.changed
+
+- name: "Add the network interface to the new zone"
+  firewalld:
+    zone: "{{ firewalld_internal_zone }}"
+    interface: "{{ network_interface }}"
+    state: enabled
+    permanent: yes
+    immediate: yes
+  when: not testing | bool

releasenotes/notes/firewalld-zone-d8c72fb5924a4916.yaml

@@ -0,0 +1,11 @@
+---
+fixes:
+  - |
+    Instead of modifying the ``public`` firewalld zone, creates a new zone
+    ``bifrost`` and puts the ``network_interface`` in it. Set
+    ``firewalld_internal_zone=public`` to revert to the previous behavior.
+upgrade:
+  - |
+    Bifrost no longer adds ironic and ironic-inspector endpoints to the public
+    firewalld zone, the operator has to do it explicitly if external access
+    is expected.