Support configuration of firewalld
Adds support for configuring firewalld for CentOS hosts managed by Kayobe. * create zones * set default zone * set zone for interfaces * define rules Change-Id: Id60e25e129e323f3c07e702bb81a11efc530fb3e Story: 2008991 Task: 42644
This commit is contained in:
parent
f09faa43d1
commit
7d15aa16f2
12
ansible/firewall.yml
Normal file
12
ansible/firewall.yml
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
---
|
||||||
|
- name: Ensure firewall is configured
|
||||||
|
hosts: seed-hypervisor:seed:overcloud
|
||||||
|
tags:
|
||||||
|
- config
|
||||||
|
- firewall
|
||||||
|
tasks:
|
||||||
|
- name: Configure the firewall
|
||||||
|
include_role:
|
||||||
|
name: "firewall-{{ ansible_facts.os_family | lower }}"
|
||||||
|
when:
|
||||||
|
- ansible_facts.os_family == 'RedHat'
|
@ -133,3 +133,24 @@ compute_sysctl_parameters: {}
|
|||||||
# List of users to create. This should be in a format accepted by the
|
# List of users to create. This should be in a format accepted by the
|
||||||
# singleplatform-eng.users role.
|
# singleplatform-eng.users role.
|
||||||
compute_users: "{{ users_default }}"
|
compute_users: "{{ users_default }}"
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# Compute node firewalld configuration.
|
||||||
|
|
||||||
|
# Whether to install and enable firewalld.
|
||||||
|
compute_firewalld_enabled: false
|
||||||
|
|
||||||
|
# A list of zones to create. Each item is a dict containing a 'zone' item.
|
||||||
|
compute_firewalld_zones: []
|
||||||
|
|
||||||
|
# A firewalld zone to set as the default. Default is unset, in which case the
|
||||||
|
# default zone will not be changed.
|
||||||
|
compute_firewalld_default_zone:
|
||||||
|
|
||||||
|
# A list of firewall rules to apply. Each item is a dict containing arguments
|
||||||
|
# to pass to the firewalld module. Arguments are omitted if not provided, with
|
||||||
|
# the following exceptions:
|
||||||
|
# - offline: true
|
||||||
|
# - permanent: true
|
||||||
|
# - state: enabled
|
||||||
|
compute_firewalld_rules: []
|
||||||
|
@ -155,3 +155,24 @@ controller_sysctl_parameters: {}
|
|||||||
# List of users to create. This should be in a format accepted by the
|
# List of users to create. This should be in a format accepted by the
|
||||||
# singleplatform-eng.users role.
|
# singleplatform-eng.users role.
|
||||||
controller_users: "{{ users_default }}"
|
controller_users: "{{ users_default }}"
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# Controller node firewalld configuration.
|
||||||
|
|
||||||
|
# Whether to install and enable firewalld.
|
||||||
|
controller_firewalld_enabled: false
|
||||||
|
|
||||||
|
# A list of zones to create. Each item is a dict containing a 'zone' item.
|
||||||
|
controller_firewalld_zones: []
|
||||||
|
|
||||||
|
# A firewalld zone to set as the default. Default is unset, in which case the
|
||||||
|
# default zone will not be changed.
|
||||||
|
controller_firewalld_default_zone:
|
||||||
|
|
||||||
|
# A list of firewall rules to apply. Each item is a dict containing arguments
|
||||||
|
# to pass to the firewalld module. Arguments are omitted if not provided, with
|
||||||
|
# the following exceptions:
|
||||||
|
# - offline: true
|
||||||
|
# - permanent: true
|
||||||
|
# - state: enabled
|
||||||
|
controller_firewalld_rules: []
|
||||||
|
@ -94,3 +94,24 @@ monitoring_sysctl_parameters: "{{ controller_sysctl_parameters }}"
|
|||||||
# List of users to create. This should be in a format accepted by the
|
# List of users to create. This should be in a format accepted by the
|
||||||
# singleplatform-eng.users role.
|
# singleplatform-eng.users role.
|
||||||
monitoring_users: "{{ controller_users }}"
|
monitoring_users: "{{ controller_users }}"
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# Monitoring node firewalld configuration.
|
||||||
|
|
||||||
|
# Whether to install and enable firewalld.
|
||||||
|
monitoring_firewalld_enabled: "{{ controller_firewalld_enabled }}"
|
||||||
|
|
||||||
|
# A list of zones to create. Each item is a dict containing a 'zone' item.
|
||||||
|
monitoring_firewalld_zones: "{{ controller_firewalld_zones }}"
|
||||||
|
|
||||||
|
# A firewalld zone to set as the default. Default is unset, in which case the
|
||||||
|
# default zone will not be changed.
|
||||||
|
monitoring_firewalld_default_zone: "{{ controller_firewalld_default_zone }}"
|
||||||
|
|
||||||
|
# A list of firewall rules to apply. Each item is a dict containing arguments
|
||||||
|
# to pass to the firewalld module. Arguments are omitted if not provided, with
|
||||||
|
# the following exceptions:
|
||||||
|
# - offline: true
|
||||||
|
# - permanent: true
|
||||||
|
# - state: enabled
|
||||||
|
monitoring_firewalld_rules: "{{ controller_firewalld_rules }}"
|
||||||
|
@ -113,3 +113,24 @@ seed_users: "{{ users_default }}"
|
|||||||
# post: "{{ kayobe_env_config_path }}/containers/squid/post.yml"
|
# post: "{{ kayobe_env_config_path }}/containers/squid/post.yml"
|
||||||
#
|
#
|
||||||
seed_containers: {}
|
seed_containers: {}
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# Seed node firewalld configuration.
|
||||||
|
|
||||||
|
# Whether to install and enable firewalld.
|
||||||
|
seed_firewalld_enabled: false
|
||||||
|
|
||||||
|
# A list of zones to create. Each item is a dict containing a 'zone' item.
|
||||||
|
seed_firewalld_zones: []
|
||||||
|
|
||||||
|
# A firewalld zone to set as the default. Default is unset, in which case the
|
||||||
|
# default zone will not be changed.
|
||||||
|
seed_firewalld_default_zone:
|
||||||
|
|
||||||
|
# A list of firewall rules to apply. Each item is a dict containing arguments
|
||||||
|
# to pass to the firewalld module. Arguments are omitted if not provided, with
|
||||||
|
# the following exceptions:
|
||||||
|
# - offline: true
|
||||||
|
# - permanent: true
|
||||||
|
# - state: enabled
|
||||||
|
seed_firewalld_rules: []
|
||||||
|
@ -128,3 +128,24 @@ seed_hypervisor_sysctl_parameters: {}
|
|||||||
# List of users to create. This should be in a format accepted by the
|
# List of users to create. This should be in a format accepted by the
|
||||||
# singleplatform-eng.users role.
|
# singleplatform-eng.users role.
|
||||||
seed_hypervisor_users: "{{ users_default }}"
|
seed_hypervisor_users: "{{ users_default }}"
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# Seed hypervisor node firewalld configuration.
|
||||||
|
|
||||||
|
# Whether to install and enable firewalld.
|
||||||
|
seed_hypervisor_firewalld_enabled: false
|
||||||
|
|
||||||
|
# A list of zones to create. Each item is a dict containing a 'zone' item.
|
||||||
|
seed_hypervisor_firewalld_zones: []
|
||||||
|
|
||||||
|
# A firewalld zone to set as the default. Default is unset, in which case the
|
||||||
|
# default zone will not be changed.
|
||||||
|
seed_hypervisor_firewalld_default_zone:
|
||||||
|
|
||||||
|
# A list of firewall rules to apply. Each item is a dict containing arguments
|
||||||
|
# to pass to the firewalld module. Arguments are omitted if not provided, with
|
||||||
|
# the following exceptions:
|
||||||
|
# - offline: true
|
||||||
|
# - permanent: true
|
||||||
|
# - state: enabled
|
||||||
|
seed_hypervisor_firewalld_rules: []
|
||||||
|
@ -145,3 +145,24 @@ storage_sysctl_parameters: {}
|
|||||||
# List of users to create. This should be in a format accepted by the
|
# List of users to create. This should be in a format accepted by the
|
||||||
# singleplatform-eng.users role.
|
# singleplatform-eng.users role.
|
||||||
storage_users: "{{ users_default }}"
|
storage_users: "{{ users_default }}"
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# Storage node firewalld configuration.
|
||||||
|
|
||||||
|
# Whether to install and enable firewalld.
|
||||||
|
storage_firewalld_enabled: false
|
||||||
|
|
||||||
|
# A list of zones to create. Each item is a dict containing a 'zone' item.
|
||||||
|
storage_firewalld_zones: []
|
||||||
|
|
||||||
|
# A firewalld zone to set as the default. Default is unset, in which case the
|
||||||
|
# default zone will not be changed.
|
||||||
|
storage_firewalld_default_zone:
|
||||||
|
|
||||||
|
# A list of firewall rules to apply. Each item is a dict containing arguments
|
||||||
|
# to pass to the firewalld module. Arguments are omitted if not provided, with
|
||||||
|
# the following exceptions:
|
||||||
|
# - offline: true
|
||||||
|
# - permanent: true
|
||||||
|
# - state: enabled
|
||||||
|
storage_firewalld_rules: []
|
||||||
|
21
ansible/group_vars/compute/firewall
Normal file
21
ansible/group_vars/compute/firewall
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
---
|
||||||
|
###############################################################################
|
||||||
|
# Compute node firewalld configuration.
|
||||||
|
|
||||||
|
# Whether to install and enable firewalld.
|
||||||
|
firewalld_enabled: "{{ compute_firewalld_enabled }}"
|
||||||
|
|
||||||
|
# A list of zones to create. Each item is a dict containing a 'zone' item.
|
||||||
|
firewalld_zones: "{{ compute_firewalld_zones }}"
|
||||||
|
|
||||||
|
# A firewalld zone to set as the default. Default is unset, in which case the
|
||||||
|
# default zone will not be changed.
|
||||||
|
firewalld_default_zone: "{{ compute_firewalld_default_zone }}"
|
||||||
|
|
||||||
|
# A list of firewall rules to apply. Each item is a dict containing arguments
|
||||||
|
# to pass to the firewalld module. Arguments are omitted if not provided, with
|
||||||
|
# the following exceptions:
|
||||||
|
# - offline: true
|
||||||
|
# - permanent: true
|
||||||
|
# - state: enabled
|
||||||
|
firewalld_rules: "{{ compute_firewalld_rules }}"
|
21
ansible/group_vars/controllers/firewall
Normal file
21
ansible/group_vars/controllers/firewall
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
---
|
||||||
|
###############################################################################
|
||||||
|
# Controller node firewalld configuration.
|
||||||
|
|
||||||
|
# Whether to install and enable firewalld.
|
||||||
|
firewalld_enabled: "{{ controller_firewalld_enabled }}"
|
||||||
|
|
||||||
|
# A list of zones to create. Each item is a dict containing a 'zone' item.
|
||||||
|
firewalld_zones: "{{ controller_firewalld_zones }}"
|
||||||
|
|
||||||
|
# A firewalld zone to set as the default. Default is unset, in which case the
|
||||||
|
# default zone will not be changed.
|
||||||
|
firewalld_default_zone: "{{ controller_firewalld_default_zone }}"
|
||||||
|
|
||||||
|
# A list of firewall rules to apply. Each item is a dict containing arguments
|
||||||
|
# to pass to the firewalld module. Arguments are omitted if not provided, with
|
||||||
|
# the following exceptions:
|
||||||
|
# - offline: true
|
||||||
|
# - permanent: true
|
||||||
|
# - state: enabled
|
||||||
|
firewalld_rules: "{{ controller_firewalld_rules }}"
|
33
ansible/group_vars/monitoring/firewall
Normal file
33
ansible/group_vars/monitoring/firewall
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
---
|
||||||
|
###############################################################################
|
||||||
|
# Monitoring node firewalld configuration.
|
||||||
|
|
||||||
|
# Whether to install and enable firewalld.
|
||||||
|
firewalld_enabled: >-
|
||||||
|
{{ controller_firewalld_enabled
|
||||||
|
if inventory_hostname in groups['controllers'] else
|
||||||
|
monitoring_firewalld_enabled }}
|
||||||
|
|
||||||
|
# A list of zones to create. Each item is a dict containing a 'zone' item.
|
||||||
|
firewalld_zones: >
|
||||||
|
{{ controller_firewalld_zones
|
||||||
|
if inventory_hostname in groups['controllers'] else
|
||||||
|
monitoring_firewalld_zones }}
|
||||||
|
|
||||||
|
# A firewalld zone to set as the default. Default is unset, in which case the
|
||||||
|
# default zone will not be changed.
|
||||||
|
firewalld_default_zone: >-
|
||||||
|
{{ controller_firewalld_default_zone
|
||||||
|
if inventory_hostname in groups['controllers'] else
|
||||||
|
monitoring_firewalld_default_zone }}"
|
||||||
|
|
||||||
|
# A list of firewall rules to apply. Each item is a dict containing arguments
|
||||||
|
# to pass to the firewalld module. Arguments are omitted if not provided, with
|
||||||
|
# the following exceptions:
|
||||||
|
# - offline: true
|
||||||
|
# - permanent: true
|
||||||
|
# - state: enabled
|
||||||
|
firewalld_rules: >
|
||||||
|
{{ controller_firewalld_rules
|
||||||
|
if inventory_hostname in groups['controllers'] else
|
||||||
|
monitoring_firewalld_rules }}"
|
21
ansible/group_vars/seed-hypervisor/firewall
Normal file
21
ansible/group_vars/seed-hypervisor/firewall
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
---
|
||||||
|
###############################################################################
|
||||||
|
# Seed Hypervisor node firewalld configuration.
|
||||||
|
|
||||||
|
# Whether to install and enable firewalld.
|
||||||
|
firewalld_enabled: "{{ seed_hypervisor_firewalld_enabled }}"
|
||||||
|
|
||||||
|
# A list of zones to create. Each item is a dict containing a 'zone' item.
|
||||||
|
firewalld_zones: "{{ seed_hypervisor_firewalld_zones }}"
|
||||||
|
|
||||||
|
# A firewalld zone to set as the default. Default is unset, in which case the
|
||||||
|
# default zone will not be changed.
|
||||||
|
firewalld_default_zone: "{{ seed_hypervisor_firewalld_default_zone }}"
|
||||||
|
|
||||||
|
# A list of firewall rules to apply. Each item is a dict containing arguments
|
||||||
|
# to pass to the firewalld module. Arguments are omitted if not provided, with
|
||||||
|
# the following exceptions:
|
||||||
|
# - offline: true
|
||||||
|
# - permanent: true
|
||||||
|
# - state: enabled
|
||||||
|
firewalld_rules: "{{ seed_hypervisor_firewalld_rules }}"
|
21
ansible/group_vars/seed/firewall
Normal file
21
ansible/group_vars/seed/firewall
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
---
|
||||||
|
###############################################################################
|
||||||
|
# Seed node firewalld configuration.
|
||||||
|
|
||||||
|
# Whether to install and enable firewalld.
|
||||||
|
firewalld_enabled: "{{ seed_firewalld_enabled }}"
|
||||||
|
|
||||||
|
# A list of zones to create. Each item is a dict containing a 'zone' item.
|
||||||
|
firewalld_zones: "{{ seed_firewalld_zones }}"
|
||||||
|
|
||||||
|
# A firewalld zone to set as the default. Default is unset, in which case the
|
||||||
|
# default zone will not be changed.
|
||||||
|
firewalld_default_zone: "{{ seed_firewalld_default_zone }}"
|
||||||
|
|
||||||
|
# A list of firewall rules to apply. Each item is a dict containing arguments
|
||||||
|
# to pass to the firewalld module. Arguments are omitted if not provided, with
|
||||||
|
# the following exceptions:
|
||||||
|
# - offline: true
|
||||||
|
# - permanent: true
|
||||||
|
# - state: enabled
|
||||||
|
firewalld_rules: "{{ seed_firewalld_rules }}"
|
21
ansible/group_vars/storage/firewall
Normal file
21
ansible/group_vars/storage/firewall
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
---
|
||||||
|
###############################################################################
|
||||||
|
# Storage node firewalld configuration.
|
||||||
|
|
||||||
|
# Whether to install and enable firewalld.
|
||||||
|
firewalld_enabled: "{{ storage_firewalld_enabled }}"
|
||||||
|
|
||||||
|
# A list of zones to create. Each item is a dict containing a 'zone' item.
|
||||||
|
firewalld_zones: "{{ storage_firewalld_zones }}"
|
||||||
|
|
||||||
|
# A firewalld zone to set as the default. Default is unset, in which case the
|
||||||
|
# default zone will not be changed.
|
||||||
|
firewalld_default_zone: "{{ storage_firewalld_default_zone }}"
|
||||||
|
|
||||||
|
# A list of firewall rules to apply. Each item is a dict containing arguments
|
||||||
|
# to pass to the firewalld module. Arguments are omitted if not provided, with
|
||||||
|
# the following exceptions:
|
||||||
|
# - offline: true
|
||||||
|
# - permanent: true
|
||||||
|
# - state: enabled
|
||||||
|
firewalld_rules: "{{ storage_firewalld_rules }}"
|
18
ansible/roles/firewall-redhat/defaults/main.yml
Normal file
18
ansible/roles/firewall-redhat/defaults/main.yml
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
---
|
||||||
|
# Whether to install and enable firewalld.
|
||||||
|
firewalld_enabled: false
|
||||||
|
|
||||||
|
# A list of zones to create. Each item is a dict containing a 'zone' item.
|
||||||
|
firewalld_zones: []
|
||||||
|
|
||||||
|
# A firewalld zone to set as the default. Default is unset, in which case the
|
||||||
|
# default zone will not be changed.
|
||||||
|
firewalld_default_zone:
|
||||||
|
|
||||||
|
# A list of firewall rules to apply. Each item is a dict containing arguments
|
||||||
|
# to pass to the firewalld module. Arguments are omitted if not provided, with
|
||||||
|
# the following exceptions:
|
||||||
|
# - offline: true
|
||||||
|
# - permanent: true
|
||||||
|
# - state: enabled
|
||||||
|
firewalld_rules: []
|
10
ansible/roles/firewall-redhat/handlers/main.yml
Normal file
10
ansible/roles/firewall-redhat/handlers/main.yml
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
---
|
||||||
|
- name: Restart firewalld
|
||||||
|
service:
|
||||||
|
name: firewalld
|
||||||
|
state: restarted
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: Check connectivity after firewalld restart
|
||||||
|
ping:
|
||||||
|
listen: Restart firewalld
|
18
ansible/roles/firewall-redhat/tasks/disabled.yml
Normal file
18
ansible/roles/firewall-redhat/tasks/disabled.yml
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
---
|
||||||
|
- name: Ensure firewalld service is stopped and disabled
|
||||||
|
service:
|
||||||
|
name: firewalld
|
||||||
|
enabled: false
|
||||||
|
state: stopped
|
||||||
|
become: true
|
||||||
|
register: firewalld_result
|
||||||
|
failed_when:
|
||||||
|
- firewalld_result is failed
|
||||||
|
# Ugh, Ansible's service module doesn't handle uninstalled services.
|
||||||
|
- "'Could not find the requested service' not in firewalld_result.msg"
|
||||||
|
|
||||||
|
- name: Ensure firewalld package is uninstalled
|
||||||
|
package:
|
||||||
|
name: firewalld
|
||||||
|
state: absent
|
||||||
|
become: true
|
71
ansible/roles/firewall-redhat/tasks/enabled.yml
Normal file
71
ansible/roles/firewall-redhat/tasks/enabled.yml
Normal file
@ -0,0 +1,71 @@
|
|||||||
|
---
|
||||||
|
- name: Ensure firewalld package is installed
|
||||||
|
package:
|
||||||
|
name: firewalld
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: Ensure firewalld service is enabled
|
||||||
|
service:
|
||||||
|
name: firewalld
|
||||||
|
enabled: true
|
||||||
|
# FIXME: should be possible to configure firewalld offline, but it fails to
|
||||||
|
# apply config.
|
||||||
|
state: started
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- name: Get firewalld current default zone
|
||||||
|
command:
|
||||||
|
cmd: "firewall-offline-cmd --get-default-zone"
|
||||||
|
changed_when: false
|
||||||
|
register: current_default_zone
|
||||||
|
|
||||||
|
- name: Set firewalld default zone
|
||||||
|
command: "firewall-offline-cmd --set-default-zone {{ firewalld_default_zone }}"
|
||||||
|
when: current_default_zone.stdout != firewalld_default_zone
|
||||||
|
notify: Restart firewalld
|
||||||
|
become: true
|
||||||
|
when:
|
||||||
|
- firewalld_default_zone is not none
|
||||||
|
- firewalld_default_zone | length > 0
|
||||||
|
|
||||||
|
- name: Ensure firewalld zones exist
|
||||||
|
firewalld:
|
||||||
|
offline: true
|
||||||
|
permanent: true
|
||||||
|
state: "{{ item.state | default('present') }}"
|
||||||
|
zone: "{{ item.zone }}"
|
||||||
|
become: true
|
||||||
|
loop: "{{ firewalld_zones }}"
|
||||||
|
|
||||||
|
- name: Set firewalld zones for network interfaces
|
||||||
|
firewalld:
|
||||||
|
interface: "{{ item | net_interface }}"
|
||||||
|
offline: true
|
||||||
|
permanent: true
|
||||||
|
state: enabled
|
||||||
|
zone: "{{ item | net_zone }}"
|
||||||
|
become: true
|
||||||
|
loop: "{{ network_interfaces }}"
|
||||||
|
when: item | net_zone
|
||||||
|
notify: Restart firewalld
|
||||||
|
|
||||||
|
- name: Ensure firewalld rules are applied
|
||||||
|
firewalld:
|
||||||
|
icmp_block: "{{ item.icmp_block | default(omit) }}"
|
||||||
|
icmp_block_inversion: "{{ item.icmp_block_inversion | default(omit) }}"
|
||||||
|
immediate: "{{ item.immediate | default(omit) }}"
|
||||||
|
interface: "{{ item.interface | default(omit) }}"
|
||||||
|
masquerade: "{{ item.masquerade | default(omit) }}"
|
||||||
|
offline: "{{ item.offline | default(true) }}"
|
||||||
|
permanent: "{{ item.permanent | default(true) }}"
|
||||||
|
port: "{{ item.port | default(omit) }}"
|
||||||
|
rich_rule: "{{ item.rich_rule | default(omit) }}"
|
||||||
|
service: "{{ item.service | default(omit) }}"
|
||||||
|
source: "{{ item.source | default(omit) }}"
|
||||||
|
state: "{{ item.state | default('enabled') }}"
|
||||||
|
timeout: "{{ item.timeout | default(omit) }}"
|
||||||
|
zone: "{{ item.zone | default(omit) }}"
|
||||||
|
become: true
|
||||||
|
loop: "{{ firewalld_rules }}"
|
||||||
|
notify: Restart firewalld
|
3
ansible/roles/firewall-redhat/tasks/main.yml
Normal file
3
ansible/roles/firewall-redhat/tasks/main.yml
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
---
|
||||||
|
- name: Include tasks
|
||||||
|
include_tasks: "{{ 'enabled' if firewalld_enabled | bool else 'disabled' }}.yml"
|
@ -565,6 +565,9 @@ kolla_group: "{{ kolla_ansible_group }}"
|
|||||||
virtualenv: {{ kolla_ansible_target_venv }}
|
virtualenv: {{ kolla_ansible_target_venv }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
# Avoid disabling the firewall on CentOS, since we manage it in Kayobe.
|
||||||
|
disable_firewall: "{% raw %}{{ ansible_facts.os_family == 'Debian' }}{% endraw %}"
|
||||||
|
|
||||||
{% if kolla_extra_globals %}
|
{% if kolla_extra_globals %}
|
||||||
#######################
|
#######################
|
||||||
# Extra configuration
|
# Extra configuration
|
||||||
|
@ -328,6 +328,98 @@ Network Configuration
|
|||||||
Configuration of host networking is covered in depth in
|
Configuration of host networking is covered in depth in
|
||||||
:ref:`configuration-network`.
|
:ref:`configuration-network`.
|
||||||
|
|
||||||
|
Firewalld
|
||||||
|
=========
|
||||||
|
*tags:*
|
||||||
|
| ``firewall``
|
||||||
|
|
||||||
|
.. note:: Firewalld is supported on CentOS systems only. Currently no
|
||||||
|
firewall is supported on Ubuntu.
|
||||||
|
|
||||||
|
Firewalld can be used to provide a firewall on CentOS systems. Since the Xena
|
||||||
|
release, Kayobe provides support for enabling or disabling firewalld, as well
|
||||||
|
as defining zones and rules.
|
||||||
|
|
||||||
|
The following variables can be used to set whether to enable firewalld:
|
||||||
|
|
||||||
|
* ``seed_hypervisor_firewalld_enabled``
|
||||||
|
* ``seed_firewalld_enabled``
|
||||||
|
* ``compute_firewalld_enabled``
|
||||||
|
* ``controller_firewalld_enabled``
|
||||||
|
* ``monitoring_firewalld_enabled``
|
||||||
|
* ``storage_firewalld_enabled``
|
||||||
|
|
||||||
|
When firewalld is enabled, the following variables can be used to configure a
|
||||||
|
list of zones to create. Each item is a dict containing a ``zone`` item:
|
||||||
|
|
||||||
|
* ``seed_hypervisor_firewalld_zones``
|
||||||
|
* ``seed_firewalld_zones``
|
||||||
|
* ``compute_firewalld_zones``
|
||||||
|
* ``controller_firewalld_zones``
|
||||||
|
* ``monitoring_firewalld_zones``
|
||||||
|
* ``storage_firewalld_zones``
|
||||||
|
|
||||||
|
The following variables can be used to set a default zone. The default is
|
||||||
|
unset, in which case the default zone will not be changed:
|
||||||
|
|
||||||
|
* ``seed_hypervisor_firewalld_default_zone``
|
||||||
|
* ``seed_firewalld_default_zone``
|
||||||
|
* ``compute_firewalld_default_zone``
|
||||||
|
* ``controller_firewalld_default_zone``
|
||||||
|
* ``monitoring_firewalld_default_zone``
|
||||||
|
* ``storage_firewalld_default_zone``
|
||||||
|
|
||||||
|
The following variables can be used to set a list of rules to apply. Each item
|
||||||
|
is a dict containing arguments to pass to the ``firewalld`` module. Arguments
|
||||||
|
are omitted if not provided, with the following exceptions: ``offline``
|
||||||
|
(default ``true``), ``permanent`` (default ``true``), ``state`` (default
|
||||||
|
``enabled``):
|
||||||
|
|
||||||
|
* ``seed_hypervisor_firewalld_rules``
|
||||||
|
* ``seed_firewalld_rules``
|
||||||
|
* ``compute_firewalld_rules``
|
||||||
|
* ``controller_firewalld_rules``
|
||||||
|
* ``monitoring_firewalld_rules``
|
||||||
|
* ``storage_firewalld_rules``
|
||||||
|
|
||||||
|
In the following example, firewalld is enabled on controllers. ``public`` and
|
||||||
|
``internal`` zones are created, with their default rules disabled. TCP port
|
||||||
|
8080 is open in the ``internal`` zone, and the ``http`` service is open in the
|
||||||
|
``public`` zone:
|
||||||
|
|
||||||
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
controller_firewalld_enabled: true
|
||||||
|
|
||||||
|
controller_firewalld_zones:
|
||||||
|
- zone: public
|
||||||
|
- zone: internal
|
||||||
|
|
||||||
|
controller_firewalld_rules:
|
||||||
|
# Disable default rules in internal zone.
|
||||||
|
- service: dhcpv6-client
|
||||||
|
state: disabled
|
||||||
|
zone: internal
|
||||||
|
- service: samba-client
|
||||||
|
state: disabled
|
||||||
|
zone: internal
|
||||||
|
- service: ssh
|
||||||
|
state: disabled
|
||||||
|
zone: internal
|
||||||
|
# Disable default rules in public zone.
|
||||||
|
- service: dhcpv6-client
|
||||||
|
state: disabled
|
||||||
|
zone: public
|
||||||
|
- service: ssh
|
||||||
|
state: disabled
|
||||||
|
zone: public
|
||||||
|
# Enable TCP port 8080 in internal zone.
|
||||||
|
- port: 8080/tcp
|
||||||
|
zone: internal
|
||||||
|
# Enable the HTTP service in the public zone.
|
||||||
|
- service: http
|
||||||
|
zone: public
|
||||||
|
|
||||||
Sysctls
|
Sysctls
|
||||||
=======
|
=======
|
||||||
*tags:*
|
*tags:*
|
||||||
|
@ -115,6 +115,27 @@
|
|||||||
# singleplatform-eng.users role.
|
# singleplatform-eng.users role.
|
||||||
#compute_users:
|
#compute_users:
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# Compute node firewalld configuration.
|
||||||
|
|
||||||
|
# Whether to install and enable firewalld.
|
||||||
|
#compute_firewalld_enabled:
|
||||||
|
|
||||||
|
# A list of zones to create. Each item is a dict containing a 'zone' item.
|
||||||
|
#compute_firewalld_zones:
|
||||||
|
|
||||||
|
# A firewalld zone to set as the default. Default is unset, in which case the
|
||||||
|
# default zone will not be changed.
|
||||||
|
#compute_firewalld_default_zone:
|
||||||
|
|
||||||
|
# A list of firewall rules to apply. Each item is a dict containing arguments
|
||||||
|
# to pass to the firewalld module. Arguments are omitted if not provided, with
|
||||||
|
# the following exceptions:
|
||||||
|
# - offline: true
|
||||||
|
# - permanent: true
|
||||||
|
# - state: enabled
|
||||||
|
#compute_firewalld_rules:
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# Dummy variable to allow Ansible to accept this file.
|
# Dummy variable to allow Ansible to accept this file.
|
||||||
workaround_ansible_issue_8743: yes
|
workaround_ansible_issue_8743: yes
|
||||||
|
@ -124,6 +124,27 @@
|
|||||||
# singleplatform-eng.users role.
|
# singleplatform-eng.users role.
|
||||||
#controller_users:
|
#controller_users:
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# Controller node firewalld configuration.
|
||||||
|
|
||||||
|
# Whether to install and enable firewalld.
|
||||||
|
#controller_firewalld_enabled:
|
||||||
|
|
||||||
|
# A list of zones to create. Each item is a dict containing a 'zone' item.
|
||||||
|
#controller_firewalld_zones:
|
||||||
|
|
||||||
|
# A firewalld zone to set as the default. Default is unset, in which case the
|
||||||
|
# default zone will not be changed.
|
||||||
|
#controller_firewalld_default_zone:
|
||||||
|
|
||||||
|
# A list of firewall rules to apply. Each item is a dict containing arguments
|
||||||
|
# to pass to the firewalld module. Arguments are omitted if not provided, with
|
||||||
|
# the following exceptions:
|
||||||
|
# - offline: true
|
||||||
|
# - permanent: true
|
||||||
|
# - state: enabled
|
||||||
|
#controller_firewalld_rules:
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# Dummy variable to allow Ansible to accept this file.
|
# Dummy variable to allow Ansible to accept this file.
|
||||||
workaround_ansible_issue_8743: yes
|
workaround_ansible_issue_8743: yes
|
||||||
|
@ -88,6 +88,27 @@
|
|||||||
# singleplatform-eng.users role.
|
# singleplatform-eng.users role.
|
||||||
#monitoring_users:
|
#monitoring_users:
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# Monitoring node firewalld configuration.
|
||||||
|
|
||||||
|
# Whether to install and enable firewalld.
|
||||||
|
#monitoring_firewalld_enabled:
|
||||||
|
|
||||||
|
# A list of zones to create. Each item is a dict containing a 'zone' item.
|
||||||
|
#monitoring_firewalld_zones:
|
||||||
|
|
||||||
|
# A firewalld zone to set as the default. Default is unset, in which case the
|
||||||
|
# default zone will not be changed.
|
||||||
|
#monitoring_firewalld_default_zone:
|
||||||
|
|
||||||
|
# A list of firewall rules to apply. Each item is a dict containing arguments
|
||||||
|
# to pass to the firewalld module. Arguments are omitted if not provided, with
|
||||||
|
# the following exceptions:
|
||||||
|
# - offline: true
|
||||||
|
# - permanent: true
|
||||||
|
# - state: enabled
|
||||||
|
#monitoring_firewalld_rules:
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# Dummy variable to allow Ansible to accept this file.
|
# Dummy variable to allow Ansible to accept this file.
|
||||||
workaround_ansible_issue_8743: yes
|
workaround_ansible_issue_8743: yes
|
||||||
|
@ -104,6 +104,27 @@
|
|||||||
# singleplatform-eng.users role.
|
# singleplatform-eng.users role.
|
||||||
#seed_hypervisor_users:
|
#seed_hypervisor_users:
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# Seed hypervisor node firewalld configuration.
|
||||||
|
|
||||||
|
# Whether to install and enable firewalld.
|
||||||
|
#seed_hypervisor_firewalld_enabled:
|
||||||
|
|
||||||
|
# A list of zones to create. Each item is a dict containing a 'zone' item.
|
||||||
|
#seed_hypervisor_firewalld_zones:
|
||||||
|
|
||||||
|
# A firewalld zone to set as the default. Default is unset, in which case the
|
||||||
|
# default zone will not be changed.
|
||||||
|
#seed_hypervisor_firewalld_default_zone:
|
||||||
|
|
||||||
|
# A list of firewall rules to apply. Each item is a dict containing arguments
|
||||||
|
# to pass to the firewalld module. Arguments are omitted if not provided, with
|
||||||
|
# the following exceptions:
|
||||||
|
# - offline: true
|
||||||
|
# - permanent: true
|
||||||
|
# - state: enabled
|
||||||
|
#seed_hypervisor_firewalld_rules:
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# Dummy variable to allow Ansible to accept this file.
|
# Dummy variable to allow Ansible to accept this file.
|
||||||
workaround_ansible_issue_8743: yes
|
workaround_ansible_issue_8743: yes
|
||||||
|
@ -97,6 +97,27 @@
|
|||||||
#
|
#
|
||||||
#seed_containers:
|
#seed_containers:
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# Seed node firewalld configuration.
|
||||||
|
|
||||||
|
# Whether to install and enable firewalld.
|
||||||
|
#seed_firewalld_enabled:
|
||||||
|
|
||||||
|
# A list of zones to create. Each item is a dict containing a 'zone' item.
|
||||||
|
#seed_firewalld_zones:
|
||||||
|
|
||||||
|
# A firewalld zone to set as the default. Default is unset, in which case the
|
||||||
|
# default zone will not be changed.
|
||||||
|
#seed_firewalld_default_zone:
|
||||||
|
|
||||||
|
# A list of firewall rules to apply. Each item is a dict containing arguments
|
||||||
|
# to pass to the firewalld module. Arguments are omitted if not provided, with
|
||||||
|
# the following exceptions:
|
||||||
|
# - offline: true
|
||||||
|
# - permanent: true
|
||||||
|
# - state: enabled
|
||||||
|
#seed_firewalld_rules:
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# Dummy variable to allow Ansible to accept this file.
|
# Dummy variable to allow Ansible to accept this file.
|
||||||
workaround_ansible_issue_8743: yes
|
workaround_ansible_issue_8743: yes
|
||||||
|
@ -120,6 +120,27 @@
|
|||||||
# singleplatform-eng.users role.
|
# singleplatform-eng.users role.
|
||||||
#storage_users:
|
#storage_users:
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# Storage node firewalld configuration.
|
||||||
|
|
||||||
|
# Whether to install and enable firewalld.
|
||||||
|
#storage_firewalld_enabled:
|
||||||
|
|
||||||
|
# A list of zones to create. Each item is a dict containing a 'zone' item.
|
||||||
|
#storage_firewalld_zones:
|
||||||
|
|
||||||
|
# A firewalld zone to set as the default. Default is unset, in which case the
|
||||||
|
# default zone will not be changed.
|
||||||
|
#storage_firewalld_default_zone:
|
||||||
|
|
||||||
|
# A list of firewall rules to apply. Each item is a dict containing arguments
|
||||||
|
# to pass to the firewalld module. Arguments are omitted if not provided, with
|
||||||
|
# the following exceptions:
|
||||||
|
# - offline: true
|
||||||
|
# - permanent: true
|
||||||
|
# - state: enabled
|
||||||
|
#storage_firewalld_rules:
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# Dummy variable to allow Ansible to accept this file.
|
# Dummy variable to allow Ansible to accept this file.
|
||||||
workaround_ansible_issue_8743: yes
|
workaround_ansible_issue_8743: yes
|
||||||
|
@ -413,6 +413,7 @@ class SeedHypervisorHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin,
|
|||||||
* Optionally, wipe unmounted disk partitions (--wipe-disks).
|
* Optionally, wipe unmounted disk partitions (--wipe-disks).
|
||||||
* Configure user accounts, group associations, and authorised SSH keys.
|
* Configure user accounts, group associations, and authorised SSH keys.
|
||||||
* Configure the host's network interfaces.
|
* Configure the host's network interfaces.
|
||||||
|
* Configure a firewall.
|
||||||
* Set sysctl parameters.
|
* Set sysctl parameters.
|
||||||
* Configure timezone and ntp.
|
* Configure timezone and ntp.
|
||||||
* Optionally, configure software RAID arrays.
|
* Optionally, configure software RAID arrays.
|
||||||
@ -453,7 +454,7 @@ class SeedHypervisorHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin,
|
|||||||
if parsed_args.wipe_disks:
|
if parsed_args.wipe_disks:
|
||||||
playbooks += _build_playbook_list("wipe-disks")
|
playbooks += _build_playbook_list("wipe-disks")
|
||||||
playbooks += _build_playbook_list(
|
playbooks += _build_playbook_list(
|
||||||
"users", "dev-tools", "network", "sysctl", "time",
|
"users", "dev-tools", "network", "firewall", "sysctl", "time",
|
||||||
"mdadm", "luks", "lvm", "seed-hypervisor-libvirt-host")
|
"mdadm", "luks", "lvm", "seed-hypervisor-libvirt-host")
|
||||||
self.run_kayobe_playbooks(parsed_args, playbooks,
|
self.run_kayobe_playbooks(parsed_args, playbooks,
|
||||||
limit="seed-hypervisor")
|
limit="seed-hypervisor")
|
||||||
@ -571,6 +572,7 @@ class SeedHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin,
|
|||||||
* Configure user accounts, group associations, and authorised SSH keys.
|
* Configure user accounts, group associations, and authorised SSH keys.
|
||||||
* Disable SELinux.
|
* Disable SELinux.
|
||||||
* Configure the host's network interfaces.
|
* Configure the host's network interfaces.
|
||||||
|
* Configure a firewall.
|
||||||
* Set sysctl parameters.
|
* Set sysctl parameters.
|
||||||
* Configure IP routing and source NAT.
|
* Configure IP routing and source NAT.
|
||||||
* Disable bootstrap interface configuration.
|
* Disable bootstrap interface configuration.
|
||||||
@ -607,7 +609,7 @@ class SeedHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin,
|
|||||||
if parsed_args.wipe_disks:
|
if parsed_args.wipe_disks:
|
||||||
playbooks += _build_playbook_list("wipe-disks")
|
playbooks += _build_playbook_list("wipe-disks")
|
||||||
playbooks += _build_playbook_list(
|
playbooks += _build_playbook_list(
|
||||||
"users", "dev-tools", "disable-selinux", "network",
|
"users", "dev-tools", "disable-selinux", "network", "firewall",
|
||||||
"sysctl", "ip-routing", "snat", "disable-glean", "time",
|
"sysctl", "ip-routing", "snat", "disable-glean", "time",
|
||||||
"mdadm", "luks", "lvm", "docker-devicemapper",
|
"mdadm", "luks", "lvm", "docker-devicemapper",
|
||||||
"kolla-ansible-user", "kolla-pip", "kolla-target-venv")
|
"kolla-ansible-user", "kolla-pip", "kolla-target-venv")
|
||||||
@ -946,6 +948,7 @@ class OvercloudHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin,
|
|||||||
* Configure user accounts, group associations, and authorised SSH keys.
|
* Configure user accounts, group associations, and authorised SSH keys.
|
||||||
* Disable SELinux.
|
* Disable SELinux.
|
||||||
* Configure the host's network interfaces.
|
* Configure the host's network interfaces.
|
||||||
|
* Configure a firewall.
|
||||||
* Set sysctl parameters.
|
* Set sysctl parameters.
|
||||||
* Disable bootstrap interface configuration.
|
* Disable bootstrap interface configuration.
|
||||||
* Configure timezone and ntp.
|
* Configure timezone and ntp.
|
||||||
@ -980,7 +983,7 @@ class OvercloudHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin,
|
|||||||
if parsed_args.wipe_disks:
|
if parsed_args.wipe_disks:
|
||||||
playbooks += _build_playbook_list("wipe-disks")
|
playbooks += _build_playbook_list("wipe-disks")
|
||||||
playbooks += _build_playbook_list(
|
playbooks += _build_playbook_list(
|
||||||
"users", "dev-tools", "disable-selinux", "network",
|
"users", "dev-tools", "disable-selinux", "network", "firewall",
|
||||||
"sysctl", "disable-glean", "disable-cloud-init", "time",
|
"sysctl", "disable-glean", "disable-cloud-init", "time",
|
||||||
"mdadm", "luks", "lvm", "docker-devicemapper",
|
"mdadm", "luks", "lvm", "docker-devicemapper",
|
||||||
"kolla-ansible-user", "kolla-pip", "kolla-target-venv")
|
"kolla-ansible-user", "kolla-pip", "kolla-target-venv")
|
||||||
|
@ -324,6 +324,7 @@ class TestCase(unittest.TestCase):
|
|||||||
utils.get_data_files_path("ansible", "users.yml"),
|
utils.get_data_files_path("ansible", "users.yml"),
|
||||||
utils.get_data_files_path("ansible", "dev-tools.yml"),
|
utils.get_data_files_path("ansible", "dev-tools.yml"),
|
||||||
utils.get_data_files_path("ansible", "network.yml"),
|
utils.get_data_files_path("ansible", "network.yml"),
|
||||||
|
utils.get_data_files_path("ansible", "firewall.yml"),
|
||||||
utils.get_data_files_path("ansible", "sysctl.yml"),
|
utils.get_data_files_path("ansible", "sysctl.yml"),
|
||||||
utils.get_data_files_path("ansible", "time.yml"),
|
utils.get_data_files_path("ansible", "time.yml"),
|
||||||
utils.get_data_files_path("ansible", "mdadm.yml"),
|
utils.get_data_files_path("ansible", "mdadm.yml"),
|
||||||
@ -496,6 +497,7 @@ class TestCase(unittest.TestCase):
|
|||||||
utils.get_data_files_path(
|
utils.get_data_files_path(
|
||||||
"ansible", "disable-selinux.yml"),
|
"ansible", "disable-selinux.yml"),
|
||||||
utils.get_data_files_path("ansible", "network.yml"),
|
utils.get_data_files_path("ansible", "network.yml"),
|
||||||
|
utils.get_data_files_path("ansible", "firewall.yml"),
|
||||||
utils.get_data_files_path("ansible", "sysctl.yml"),
|
utils.get_data_files_path("ansible", "sysctl.yml"),
|
||||||
utils.get_data_files_path("ansible", "ip-routing.yml"),
|
utils.get_data_files_path("ansible", "ip-routing.yml"),
|
||||||
utils.get_data_files_path("ansible", "snat.yml"),
|
utils.get_data_files_path("ansible", "snat.yml"),
|
||||||
@ -1041,6 +1043,7 @@ class TestCase(unittest.TestCase):
|
|||||||
utils.get_data_files_path(
|
utils.get_data_files_path(
|
||||||
"ansible", "disable-selinux.yml"),
|
"ansible", "disable-selinux.yml"),
|
||||||
utils.get_data_files_path("ansible", "network.yml"),
|
utils.get_data_files_path("ansible", "network.yml"),
|
||||||
|
utils.get_data_files_path("ansible", "firewall.yml"),
|
||||||
utils.get_data_files_path("ansible", "sysctl.yml"),
|
utils.get_data_files_path("ansible", "sysctl.yml"),
|
||||||
utils.get_data_files_path("ansible", "disable-glean.yml"),
|
utils.get_data_files_path("ansible", "disable-glean.yml"),
|
||||||
utils.get_data_files_path(
|
utils.get_data_files_path(
|
||||||
|
5
releasenotes/notes/firewalld-48dd2efd52c79252.yaml
Normal file
5
releasenotes/notes/firewalld-48dd2efd52c79252.yaml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
Adds support for configuring a firewall via firewalld on CentOS. See `story
|
||||||
|
2008991 <https://storyboard.openstack.org/#!/story/2008991>`__ for details.
|
Loading…
Reference in New Issue
Block a user