Merge "Use firewalld to open ports on CentOS and RHEL."

2020-07-01 08:31:46 +00:00 · 2020-07-01 08:31:46 +00:00 · a5acc10c4d
commit a5acc10c4d
parent 00ac26e1e4 deaa4d7186
4 changed files with 57 additions and 1 deletions
--- a/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_RedHat_family.yml
+++ b/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_RedHat_family.yml
@ -34,6 +34,8 @@ required_packages:
  - gcc
  - python3-pip
  - socat
+  - firewalld
+  - python3-firewall
 iscsi_required_packages:
  - iscsi-initiator-utils
  - gdisk
--- a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml
+++ b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml
@ -27,6 +27,25 @@
    enable_venv: true
  when: lookup('env', 'VENV') | length > 0

+- block:
+    - name: "Ask systemd to reload configuration"
+      systemd:
+        daemon_reload: yes
+
+    - name: "Enable firewalld"
+      service:
+        name: firewalld
+        state: started
+        enabled: yes
+
+    - name: "Disable iptables (if enabled)"
+      service:
+        name: iptables
+        state: stopped
+        enabled: no
+      ignore_errors: true
+  when: ansible_distribution in ["CentOS", "RedHat"]
+
 # NOTE(sean-k-mooney) only the RabbitMQ server and MySQL db are started
 # during bootstrapping. all other services are started in the Start phase.
 - name: "Start database service"
@ -318,6 +337,20 @@
  loop:
    - "{{ file_url_port }}"
    - 6385
+  when: ansible_distribution not in ["CentOS", "RedHat"]
+
+- name: "Enable ports in firewalld"
+  firewalld:
+    port: "{{ item }}/tcp"
+    zone: "{{ 'libvirt' if testing else 'public' }}"
+    state: enabled
+    permanent: yes
+    immediate: yes
+  loop:
+    - "{{ file_url_port }}"
+    - 6385
+  when: ansible_distribution in ["CentOS", "RedHat"]
+
 - block:
    - name: "Explicitly allow nginx and IPA port (TCP) on selinux"
      seport:
--- a/playbooks/roles/bifrost-ironic-install/tasks/inspector_bootstrap.yml
+++ b/playbooks/roles/bifrost-ironic-install/tasks/inspector_bootstrap.yml
@ -103,4 +103,20 @@
  loop:
    - { service_path: "{{ ironic_install_prefix.stdout | default('') }}", service_name: 'ironic-inspector', username: 'ironic', args: '--config-file /etc/ironic-inspector/inspector.conf'}
 - name: "Inspector - Explicitly permit TCP/5050 for ironic-inspector callback"
-  command: iptables -I INPUT -p tcp --dport 5050 -i {{network_interface}} -j ACCEPT
+  iptables:
+    chain: INPUT
+    action: insert
+    protocol: tcp
+    destination_port: 5050
+    in_interface: "{{ network_interface }}"
+    jump: ACCEPT
+  when: ansible_distribution not in ["CentOS", "RedHat"]
+
+- name: "Inspector - Enable port in firewalld"
+  firewalld:
+    port: "5050/tcp"
+    zone: "{{ 'libvirt' if testing else 'public' }}"
+    state: enabled
+    permanent: yes
+    immediate: yes
+  when: ansible_distribution in ["CentOS", "RedHat"]
--- a/releasenotes/notes/firewalld-d53c6396828b91ee.yaml
+++ b/releasenotes/notes/firewalld-d53c6396828b91ee.yaml
@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Fixes deployment in a testing environment on CentOS 8 by using firewalld
+    instead of iptables to enable access from nodes to ironic.