openstack/bifrost
Code Issues Proposed changes

Merge "Use firewalld to open ports on CentOS and RHEL."

Browse Source
This commit is contained in:
Zuul 2020-07-01 08:31:46 +00:00 committed by Gerrit Code Review
commit a5acc10c4d
4 changed files with 57 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
playbooks/roles/bifrost-ironic-install/defaults/required_defaults_RedHat_family.yml
View File

@ -34,6 +34,8 @@ required_packages:
- gcc - gcc
- python3-pip - python3-pip
- socat - socat
- firewalld
- python3-firewall
iscsi_required_packages: iscsi_required_packages:
- iscsi-initiator-utils - iscsi-initiator-utils
- gdisk - gdisk

33
playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml
View File

@ -27,6 +27,25 @@
enable_venv: true enable_venv: true
when: lookup('env', 'VENV') | length > 0 when: lookup('env', 'VENV') | length > 0
- block:
- name: "Ask systemd to reload configuration"
systemd:
daemon_reload: yes
- name: "Enable firewalld"
service:
name: firewalld
state: started
enabled: yes
- name: "Disable iptables (if enabled)"
service:
name: iptables
state: stopped
enabled: no
ignore_errors: true
when: ansible_distribution in ["CentOS", "RedHat"]
# NOTE(sean-k-mooney) only the RabbitMQ server and MySQL db are started # NOTE(sean-k-mooney) only the RabbitMQ server and MySQL db are started
# during bootstrapping. all other services are started in the Start phase. # during bootstrapping. all other services are started in the Start phase.
- name: "Start database service" - name: "Start database service"
@ -318,6 +337,20 @@
loop: loop:
- "{{ file_url_port }}" - "{{ file_url_port }}"
- 6385 - 6385
when: ansible_distribution not in ["CentOS", "RedHat"]
- name: "Enable ports in firewalld"
firewalld:
port: "{{ item }}/tcp"
zone: "{{ 'libvirt' if testing else 'public' }}"
state: enabled
permanent: yes
immediate: yes
loop:
- "{{ file_url_port }}"
- 6385
when: ansible_distribution in ["CentOS", "RedHat"]
- block: - block:
- name: "Explicitly allow nginx and IPA port (TCP) on selinux" - name: "Explicitly allow nginx and IPA port (TCP) on selinux"
seport: seport:

18
playbooks/roles/bifrost-ironic-install/tasks/inspector_bootstrap.yml
View File

@ -103,4 +103,20 @@
loop: loop:
- { service_path: "{{ ironic_install_prefix.stdout | default('') }}", service_name: 'ironic-inspector', username: 'ironic', args: '--config-file /etc/ironic-inspector/inspector.conf'} - { service_path: "{{ ironic_install_prefix.stdout | default('') }}", service_name: 'ironic-inspector', username: 'ironic', args: '--config-file /etc/ironic-inspector/inspector.conf'}
- name: "Inspector - Explicitly permit TCP/5050 for ironic-inspector callback" - name: "Inspector - Explicitly permit TCP/5050 for ironic-inspector callback"
command: iptables -I INPUT -p tcp --dport 5050 -i {{network_interface}} -j ACCEPT iptables:
chain: INPUT
action: insert
protocol: tcp
destination_port: 5050
in_interface: "{{ network_interface }}"
jump: ACCEPT
when: ansible_distribution not in ["CentOS", "RedHat"]
- name: "Inspector - Enable port in firewalld"
firewalld:
port: "5050/tcp"
zone: "{{ 'libvirt' if testing else 'public' }}"
state: enabled
permanent: yes
immediate: yes
when: ansible_distribution in ["CentOS", "RedHat"]

5
releasenotes/notes/firewalld-d53c6396828b91ee.yaml Normal file
View File

@ -0,0 +1,5 @@
---
fixes:
- |
Fixes deployment in a testing environment on CentOS 8 by using firewalld
instead of iptables to enable access from nodes to ironic.