From deaa4d7186c9937717424aafa1b3fef6af96fcf6 Mon Sep 17 00:00:00 2001 From: Dmitry Tantsur Date: Thu, 25 Jun 2020 16:21:02 +0200 Subject: [PATCH] Use firewalld to open ports on CentOS and RHEL. The current code does not properly open ports in the libvirt zone and firewalld is the default in CentOS/RHEL 8. We will update Fedora once we switch to a newer version that defaults to firewalld (30 apparently does not). Change-Id: If6b3d13e2b4bf0e71b0968850e05ea93efd6f189 --- .../required_defaults_RedHat_family.yml | 2 ++ .../tasks/bootstrap.yml | 33 +++++++++++++++++++ .../tasks/inspector_bootstrap.yml | 18 +++++++++- .../notes/firewalld-d53c6396828b91ee.yaml | 5 +++ 4 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/firewalld-d53c6396828b91ee.yaml diff --git a/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_RedHat_family.yml b/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_RedHat_family.yml index d308c685f..af51b4f8e 100644 --- a/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_RedHat_family.yml +++ b/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_RedHat_family.yml @@ -34,6 +34,8 @@ required_packages: - gcc - python3-pip - socat + - firewalld + - python3-firewall iscsi_required_packages: - iscsi-initiator-utils - gdisk diff --git a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml index 14a5c7702..5c654833a 100644 --- a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml +++ b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml @@ -27,6 +27,25 @@ enable_venv: true when: lookup('env', 'VENV') | length > 0 +- block: + - name: "Ask systemd to reload configuration" + systemd: + daemon_reload: yes + + - name: "Enable firewalld" + service: + name: firewalld + state: started + enabled: yes + + - name: "Disable iptables (if enabled)" + service: + name: iptables + state: stopped + enabled: no + ignore_errors: true + when: ansible_distribution in ["CentOS", "RedHat"] + # NOTE(sean-k-mooney) only the RabbitMQ server and MySQL db are started # during bootstrapping. all other services are started in the Start phase. - name: "Start database service" @@ -318,6 +337,20 @@ loop: - "{{ file_url_port }}" - 6385 + when: ansible_distribution not in ["CentOS", "RedHat"] + +- name: "Enable ports in firewalld" + firewalld: + port: "{{ item }}/tcp" + zone: "{{ 'libvirt' if testing else 'public' }}" + state: enabled + permanent: yes + immediate: yes + loop: + - "{{ file_url_port }}" + - 6385 + when: ansible_distribution in ["CentOS", "RedHat"] + - block: - name: "Explicitly allow nginx and IPA port (TCP) on selinux" seport: diff --git a/playbooks/roles/bifrost-ironic-install/tasks/inspector_bootstrap.yml b/playbooks/roles/bifrost-ironic-install/tasks/inspector_bootstrap.yml index 15ec89633..4f67607b4 100644 --- a/playbooks/roles/bifrost-ironic-install/tasks/inspector_bootstrap.yml +++ b/playbooks/roles/bifrost-ironic-install/tasks/inspector_bootstrap.yml @@ -103,4 +103,20 @@ loop: - { service_path: "{{ ironic_install_prefix.stdout | default('') }}", service_name: 'ironic-inspector', username: 'ironic', args: '--config-file /etc/ironic-inspector/inspector.conf'} - name: "Inspector - Explicitly permit TCP/5050 for ironic-inspector callback" - command: iptables -I INPUT -p tcp --dport 5050 -i {{network_interface}} -j ACCEPT + iptables: + chain: INPUT + action: insert + protocol: tcp + destination_port: 5050 + in_interface: "{{ network_interface }}" + jump: ACCEPT + when: ansible_distribution not in ["CentOS", "RedHat"] + +- name: "Inspector - Enable port in firewalld" + firewalld: + port: "5050/tcp" + zone: "{{ 'libvirt' if testing else 'public' }}" + state: enabled + permanent: yes + immediate: yes + when: ansible_distribution in ["CentOS", "RedHat"] diff --git a/releasenotes/notes/firewalld-d53c6396828b91ee.yaml b/releasenotes/notes/firewalld-d53c6396828b91ee.yaml new file mode 100644 index 000000000..de64303e1 --- /dev/null +++ b/releasenotes/notes/firewalld-d53c6396828b91ee.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Fixes deployment in a testing environment on CentOS 8 by using firewalld + instead of iptables to enable access from nodes to ironic.