Support configuration of firewalld

Adds support for configuring firewalld for CentOS hosts managed by
Kayobe.

* create zones
* set default zone
* set zone for interfaces
* define rules

Change-Id: Id60e25e129e323f3c07e702bb81a11efc530fb3e
Story: 2008991
Task: 42644
This commit is contained in:
Mark Goddard 2021-06-18 11:26:58 +01:00
parent f09faa43d1
commit 7d15aa16f2
29 changed files with 631 additions and 3 deletions

12
ansible/firewall.yml Normal file
View File

@ -0,0 +1,12 @@
---
- name: Ensure firewall is configured
hosts: seed-hypervisor:seed:overcloud
tags:
- config
- firewall
tasks:
- name: Configure the firewall
include_role:
name: "firewall-{{ ansible_facts.os_family | lower }}"
when:
- ansible_facts.os_family == 'RedHat'

View File

@ -133,3 +133,24 @@ compute_sysctl_parameters: {}
# List of users to create. This should be in a format accepted by the # List of users to create. This should be in a format accepted by the
# singleplatform-eng.users role. # singleplatform-eng.users role.
compute_users: "{{ users_default }}" compute_users: "{{ users_default }}"
###############################################################################
# Compute node firewalld configuration.
# Whether to install and enable firewalld.
compute_firewalld_enabled: false
# A list of zones to create. Each item is a dict containing a 'zone' item.
compute_firewalld_zones: []
# A firewalld zone to set as the default. Default is unset, in which case the
# default zone will not be changed.
compute_firewalld_default_zone:
# A list of firewall rules to apply. Each item is a dict containing arguments
# to pass to the firewalld module. Arguments are omitted if not provided, with
# the following exceptions:
# - offline: true
# - permanent: true
# - state: enabled
compute_firewalld_rules: []

View File

@ -155,3 +155,24 @@ controller_sysctl_parameters: {}
# List of users to create. This should be in a format accepted by the # List of users to create. This should be in a format accepted by the
# singleplatform-eng.users role. # singleplatform-eng.users role.
controller_users: "{{ users_default }}" controller_users: "{{ users_default }}"
###############################################################################
# Controller node firewalld configuration.
# Whether to install and enable firewalld.
controller_firewalld_enabled: false
# A list of zones to create. Each item is a dict containing a 'zone' item.
controller_firewalld_zones: []
# A firewalld zone to set as the default. Default is unset, in which case the
# default zone will not be changed.
controller_firewalld_default_zone:
# A list of firewall rules to apply. Each item is a dict containing arguments
# to pass to the firewalld module. Arguments are omitted if not provided, with
# the following exceptions:
# - offline: true
# - permanent: true
# - state: enabled
controller_firewalld_rules: []

View File

@ -94,3 +94,24 @@ monitoring_sysctl_parameters: "{{ controller_sysctl_parameters }}"
# List of users to create. This should be in a format accepted by the # List of users to create. This should be in a format accepted by the
# singleplatform-eng.users role. # singleplatform-eng.users role.
monitoring_users: "{{ controller_users }}" monitoring_users: "{{ controller_users }}"
###############################################################################
# Monitoring node firewalld configuration.
# Whether to install and enable firewalld.
monitoring_firewalld_enabled: "{{ controller_firewalld_enabled }}"
# A list of zones to create. Each item is a dict containing a 'zone' item.
monitoring_firewalld_zones: "{{ controller_firewalld_zones }}"
# A firewalld zone to set as the default. Default is unset, in which case the
# default zone will not be changed.
monitoring_firewalld_default_zone: "{{ controller_firewalld_default_zone }}"
# A list of firewall rules to apply. Each item is a dict containing arguments
# to pass to the firewalld module. Arguments are omitted if not provided, with
# the following exceptions:
# - offline: true
# - permanent: true
# - state: enabled
monitoring_firewalld_rules: "{{ controller_firewalld_rules }}"

View File

@ -113,3 +113,24 @@ seed_users: "{{ users_default }}"
# post: "{{ kayobe_env_config_path }}/containers/squid/post.yml" # post: "{{ kayobe_env_config_path }}/containers/squid/post.yml"
# #
seed_containers: {} seed_containers: {}
###############################################################################
# Seed node firewalld configuration.
# Whether to install and enable firewalld.
seed_firewalld_enabled: false
# A list of zones to create. Each item is a dict containing a 'zone' item.
seed_firewalld_zones: []
# A firewalld zone to set as the default. Default is unset, in which case the
# default zone will not be changed.
seed_firewalld_default_zone:
# A list of firewall rules to apply. Each item is a dict containing arguments
# to pass to the firewalld module. Arguments are omitted if not provided, with
# the following exceptions:
# - offline: true
# - permanent: true
# - state: enabled
seed_firewalld_rules: []

View File

@ -128,3 +128,24 @@ seed_hypervisor_sysctl_parameters: {}
# List of users to create. This should be in a format accepted by the # List of users to create. This should be in a format accepted by the
# singleplatform-eng.users role. # singleplatform-eng.users role.
seed_hypervisor_users: "{{ users_default }}" seed_hypervisor_users: "{{ users_default }}"
###############################################################################
# Seed hypervisor node firewalld configuration.
# Whether to install and enable firewalld.
seed_hypervisor_firewalld_enabled: false
# A list of zones to create. Each item is a dict containing a 'zone' item.
seed_hypervisor_firewalld_zones: []
# A firewalld zone to set as the default. Default is unset, in which case the
# default zone will not be changed.
seed_hypervisor_firewalld_default_zone:
# A list of firewall rules to apply. Each item is a dict containing arguments
# to pass to the firewalld module. Arguments are omitted if not provided, with
# the following exceptions:
# - offline: true
# - permanent: true
# - state: enabled
seed_hypervisor_firewalld_rules: []

View File

@ -145,3 +145,24 @@ storage_sysctl_parameters: {}
# List of users to create. This should be in a format accepted by the # List of users to create. This should be in a format accepted by the
# singleplatform-eng.users role. # singleplatform-eng.users role.
storage_users: "{{ users_default }}" storage_users: "{{ users_default }}"
###############################################################################
# Storage node firewalld configuration.
# Whether to install and enable firewalld.
storage_firewalld_enabled: false
# A list of zones to create. Each item is a dict containing a 'zone' item.
storage_firewalld_zones: []
# A firewalld zone to set as the default. Default is unset, in which case the
# default zone will not be changed.
storage_firewalld_default_zone:
# A list of firewall rules to apply. Each item is a dict containing arguments
# to pass to the firewalld module. Arguments are omitted if not provided, with
# the following exceptions:
# - offline: true
# - permanent: true
# - state: enabled
storage_firewalld_rules: []

View File

@ -0,0 +1,21 @@
---
###############################################################################
# Compute node firewalld configuration.
# Whether to install and enable firewalld.
firewalld_enabled: "{{ compute_firewalld_enabled }}"
# A list of zones to create. Each item is a dict containing a 'zone' item.
firewalld_zones: "{{ compute_firewalld_zones }}"
# A firewalld zone to set as the default. Default is unset, in which case the
# default zone will not be changed.
firewalld_default_zone: "{{ compute_firewalld_default_zone }}"
# A list of firewall rules to apply. Each item is a dict containing arguments
# to pass to the firewalld module. Arguments are omitted if not provided, with
# the following exceptions:
# - offline: true
# - permanent: true
# - state: enabled
firewalld_rules: "{{ compute_firewalld_rules }}"

View File

@ -0,0 +1,21 @@
---
###############################################################################
# Controller node firewalld configuration.
# Whether to install and enable firewalld.
firewalld_enabled: "{{ controller_firewalld_enabled }}"
# A list of zones to create. Each item is a dict containing a 'zone' item.
firewalld_zones: "{{ controller_firewalld_zones }}"
# A firewalld zone to set as the default. Default is unset, in which case the
# default zone will not be changed.
firewalld_default_zone: "{{ controller_firewalld_default_zone }}"
# A list of firewall rules to apply. Each item is a dict containing arguments
# to pass to the firewalld module. Arguments are omitted if not provided, with
# the following exceptions:
# - offline: true
# - permanent: true
# - state: enabled
firewalld_rules: "{{ controller_firewalld_rules }}"

View File

@ -0,0 +1,33 @@
---
###############################################################################
# Monitoring node firewalld configuration.
# Whether to install and enable firewalld.
firewalld_enabled: >-
{{ controller_firewalld_enabled
if inventory_hostname in groups['controllers'] else
monitoring_firewalld_enabled }}
# A list of zones to create. Each item is a dict containing a 'zone' item.
firewalld_zones: >
{{ controller_firewalld_zones
if inventory_hostname in groups['controllers'] else
monitoring_firewalld_zones }}
# A firewalld zone to set as the default. Default is unset, in which case the
# default zone will not be changed.
firewalld_default_zone: >-
{{ controller_firewalld_default_zone
if inventory_hostname in groups['controllers'] else
monitoring_firewalld_default_zone }}"
# A list of firewall rules to apply. Each item is a dict containing arguments
# to pass to the firewalld module. Arguments are omitted if not provided, with
# the following exceptions:
# - offline: true
# - permanent: true
# - state: enabled
firewalld_rules: >
{{ controller_firewalld_rules
if inventory_hostname in groups['controllers'] else
monitoring_firewalld_rules }}"

View File

@ -0,0 +1,21 @@
---
###############################################################################
# Seed Hypervisor node firewalld configuration.
# Whether to install and enable firewalld.
firewalld_enabled: "{{ seed_hypervisor_firewalld_enabled }}"
# A list of zones to create. Each item is a dict containing a 'zone' item.
firewalld_zones: "{{ seed_hypervisor_firewalld_zones }}"
# A firewalld zone to set as the default. Default is unset, in which case the
# default zone will not be changed.
firewalld_default_zone: "{{ seed_hypervisor_firewalld_default_zone }}"
# A list of firewall rules to apply. Each item is a dict containing arguments
# to pass to the firewalld module. Arguments are omitted if not provided, with
# the following exceptions:
# - offline: true
# - permanent: true
# - state: enabled
firewalld_rules: "{{ seed_hypervisor_firewalld_rules }}"

View File

@ -0,0 +1,21 @@
---
###############################################################################
# Seed node firewalld configuration.
# Whether to install and enable firewalld.
firewalld_enabled: "{{ seed_firewalld_enabled }}"
# A list of zones to create. Each item is a dict containing a 'zone' item.
firewalld_zones: "{{ seed_firewalld_zones }}"
# A firewalld zone to set as the default. Default is unset, in which case the
# default zone will not be changed.
firewalld_default_zone: "{{ seed_firewalld_default_zone }}"
# A list of firewall rules to apply. Each item is a dict containing arguments
# to pass to the firewalld module. Arguments are omitted if not provided, with
# the following exceptions:
# - offline: true
# - permanent: true
# - state: enabled
firewalld_rules: "{{ seed_firewalld_rules }}"

View File

@ -0,0 +1,21 @@
---
###############################################################################
# Storage node firewalld configuration.
# Whether to install and enable firewalld.
firewalld_enabled: "{{ storage_firewalld_enabled }}"
# A list of zones to create. Each item is a dict containing a 'zone' item.
firewalld_zones: "{{ storage_firewalld_zones }}"
# A firewalld zone to set as the default. Default is unset, in which case the
# default zone will not be changed.
firewalld_default_zone: "{{ storage_firewalld_default_zone }}"
# A list of firewall rules to apply. Each item is a dict containing arguments
# to pass to the firewalld module. Arguments are omitted if not provided, with
# the following exceptions:
# - offline: true
# - permanent: true
# - state: enabled
firewalld_rules: "{{ storage_firewalld_rules }}"

View File

@ -0,0 +1,18 @@
---
# Whether to install and enable firewalld.
firewalld_enabled: false
# A list of zones to create. Each item is a dict containing a 'zone' item.
firewalld_zones: []
# A firewalld zone to set as the default. Default is unset, in which case the
# default zone will not be changed.
firewalld_default_zone:
# A list of firewall rules to apply. Each item is a dict containing arguments
# to pass to the firewalld module. Arguments are omitted if not provided, with
# the following exceptions:
# - offline: true
# - permanent: true
# - state: enabled
firewalld_rules: []

View File

@ -0,0 +1,10 @@
---
- name: Restart firewalld
service:
name: firewalld
state: restarted
become: true
- name: Check connectivity after firewalld restart
ping:
listen: Restart firewalld

View File

@ -0,0 +1,18 @@
---
- name: Ensure firewalld service is stopped and disabled
service:
name: firewalld
enabled: false
state: stopped
become: true
register: firewalld_result
failed_when:
- firewalld_result is failed
# Ugh, Ansible's service module doesn't handle uninstalled services.
- "'Could not find the requested service' not in firewalld_result.msg"
- name: Ensure firewalld package is uninstalled
package:
name: firewalld
state: absent
become: true

View File

@ -0,0 +1,71 @@
---
- name: Ensure firewalld package is installed
package:
name: firewalld
become: true
- name: Ensure firewalld service is enabled
service:
name: firewalld
enabled: true
# FIXME: should be possible to configure firewalld offline, but it fails to
# apply config.
state: started
become: true
- block:
- name: Get firewalld current default zone
command:
cmd: "firewall-offline-cmd --get-default-zone"
changed_when: false
register: current_default_zone
- name: Set firewalld default zone
command: "firewall-offline-cmd --set-default-zone {{ firewalld_default_zone }}"
when: current_default_zone.stdout != firewalld_default_zone
notify: Restart firewalld
become: true
when:
- firewalld_default_zone is not none
- firewalld_default_zone | length > 0
- name: Ensure firewalld zones exist
firewalld:
offline: true
permanent: true
state: "{{ item.state | default('present') }}"
zone: "{{ item.zone }}"
become: true
loop: "{{ firewalld_zones }}"
- name: Set firewalld zones for network interfaces
firewalld:
interface: "{{ item | net_interface }}"
offline: true
permanent: true
state: enabled
zone: "{{ item | net_zone }}"
become: true
loop: "{{ network_interfaces }}"
when: item | net_zone
notify: Restart firewalld
- name: Ensure firewalld rules are applied
firewalld:
icmp_block: "{{ item.icmp_block | default(omit) }}"
icmp_block_inversion: "{{ item.icmp_block_inversion | default(omit) }}"
immediate: "{{ item.immediate | default(omit) }}"
interface: "{{ item.interface | default(omit) }}"
masquerade: "{{ item.masquerade | default(omit) }}"
offline: "{{ item.offline | default(true) }}"
permanent: "{{ item.permanent | default(true) }}"
port: "{{ item.port | default(omit) }}"
rich_rule: "{{ item.rich_rule | default(omit) }}"
service: "{{ item.service | default(omit) }}"
source: "{{ item.source | default(omit) }}"
state: "{{ item.state | default('enabled') }}"
timeout: "{{ item.timeout | default(omit) }}"
zone: "{{ item.zone | default(omit) }}"
become: true
loop: "{{ firewalld_rules }}"
notify: Restart firewalld

View File

@ -0,0 +1,3 @@
---
- name: Include tasks
include_tasks: "{{ 'enabled' if firewalld_enabled | bool else 'disabled' }}.yml"

View File

@ -565,6 +565,9 @@ kolla_group: "{{ kolla_ansible_group }}"
virtualenv: {{ kolla_ansible_target_venv }} virtualenv: {{ kolla_ansible_target_venv }}
{% endif %} {% endif %}
# Avoid disabling the firewall on CentOS, since we manage it in Kayobe.
disable_firewall: "{% raw %}{{ ansible_facts.os_family == 'Debian' }}{% endraw %}"
{% if kolla_extra_globals %} {% if kolla_extra_globals %}
####################### #######################
# Extra configuration # Extra configuration

View File

@ -328,6 +328,98 @@ Network Configuration
Configuration of host networking is covered in depth in Configuration of host networking is covered in depth in
:ref:`configuration-network`. :ref:`configuration-network`.
Firewalld
=========
*tags:*
| ``firewall``
.. note:: Firewalld is supported on CentOS systems only. Currently no
firewall is supported on Ubuntu.
Firewalld can be used to provide a firewall on CentOS systems. Since the Xena
release, Kayobe provides support for enabling or disabling firewalld, as well
as defining zones and rules.
The following variables can be used to set whether to enable firewalld:
* ``seed_hypervisor_firewalld_enabled``
* ``seed_firewalld_enabled``
* ``compute_firewalld_enabled``
* ``controller_firewalld_enabled``
* ``monitoring_firewalld_enabled``
* ``storage_firewalld_enabled``
When firewalld is enabled, the following variables can be used to configure a
list of zones to create. Each item is a dict containing a ``zone`` item:
* ``seed_hypervisor_firewalld_zones``
* ``seed_firewalld_zones``
* ``compute_firewalld_zones``
* ``controller_firewalld_zones``
* ``monitoring_firewalld_zones``
* ``storage_firewalld_zones``
The following variables can be used to set a default zone. The default is
unset, in which case the default zone will not be changed:
* ``seed_hypervisor_firewalld_default_zone``
* ``seed_firewalld_default_zone``
* ``compute_firewalld_default_zone``
* ``controller_firewalld_default_zone``
* ``monitoring_firewalld_default_zone``
* ``storage_firewalld_default_zone``
The following variables can be used to set a list of rules to apply. Each item
is a dict containing arguments to pass to the ``firewalld`` module. Arguments
are omitted if not provided, with the following exceptions: ``offline``
(default ``true``), ``permanent`` (default ``true``), ``state`` (default
``enabled``):
* ``seed_hypervisor_firewalld_rules``
* ``seed_firewalld_rules``
* ``compute_firewalld_rules``
* ``controller_firewalld_rules``
* ``monitoring_firewalld_rules``
* ``storage_firewalld_rules``
In the following example, firewalld is enabled on controllers. ``public`` and
``internal`` zones are created, with their default rules disabled. TCP port
8080 is open in the ``internal`` zone, and the ``http`` service is open in the
``public`` zone:
.. code-block:: yaml
controller_firewalld_enabled: true
controller_firewalld_zones:
- zone: public
- zone: internal
controller_firewalld_rules:
# Disable default rules in internal zone.
- service: dhcpv6-client
state: disabled
zone: internal
- service: samba-client
state: disabled
zone: internal
- service: ssh
state: disabled
zone: internal
# Disable default rules in public zone.
- service: dhcpv6-client
state: disabled
zone: public
- service: ssh
state: disabled
zone: public
# Enable TCP port 8080 in internal zone.
- port: 8080/tcp
zone: internal
# Enable the HTTP service in the public zone.
- service: http
zone: public
Sysctls Sysctls
======= =======
*tags:* *tags:*

View File

@ -115,6 +115,27 @@
# singleplatform-eng.users role. # singleplatform-eng.users role.
#compute_users: #compute_users:
###############################################################################
# Compute node firewalld configuration.
# Whether to install and enable firewalld.
#compute_firewalld_enabled:
# A list of zones to create. Each item is a dict containing a 'zone' item.
#compute_firewalld_zones:
# A firewalld zone to set as the default. Default is unset, in which case the
# default zone will not be changed.
#compute_firewalld_default_zone:
# A list of firewall rules to apply. Each item is a dict containing arguments
# to pass to the firewalld module. Arguments are omitted if not provided, with
# the following exceptions:
# - offline: true
# - permanent: true
# - state: enabled
#compute_firewalld_rules:
############################################################################### ###############################################################################
# Dummy variable to allow Ansible to accept this file. # Dummy variable to allow Ansible to accept this file.
workaround_ansible_issue_8743: yes workaround_ansible_issue_8743: yes

View File

@ -124,6 +124,27 @@
# singleplatform-eng.users role. # singleplatform-eng.users role.
#controller_users: #controller_users:
###############################################################################
# Controller node firewalld configuration.
# Whether to install and enable firewalld.
#controller_firewalld_enabled:
# A list of zones to create. Each item is a dict containing a 'zone' item.
#controller_firewalld_zones:
# A firewalld zone to set as the default. Default is unset, in which case the
# default zone will not be changed.
#controller_firewalld_default_zone:
# A list of firewall rules to apply. Each item is a dict containing arguments
# to pass to the firewalld module. Arguments are omitted if not provided, with
# the following exceptions:
# - offline: true
# - permanent: true
# - state: enabled
#controller_firewalld_rules:
############################################################################### ###############################################################################
# Dummy variable to allow Ansible to accept this file. # Dummy variable to allow Ansible to accept this file.
workaround_ansible_issue_8743: yes workaround_ansible_issue_8743: yes

View File

@ -88,6 +88,27 @@
# singleplatform-eng.users role. # singleplatform-eng.users role.
#monitoring_users: #monitoring_users:
###############################################################################
# Monitoring node firewalld configuration.
# Whether to install and enable firewalld.
#monitoring_firewalld_enabled:
# A list of zones to create. Each item is a dict containing a 'zone' item.
#monitoring_firewalld_zones:
# A firewalld zone to set as the default. Default is unset, in which case the
# default zone will not be changed.
#monitoring_firewalld_default_zone:
# A list of firewall rules to apply. Each item is a dict containing arguments
# to pass to the firewalld module. Arguments are omitted if not provided, with
# the following exceptions:
# - offline: true
# - permanent: true
# - state: enabled
#monitoring_firewalld_rules:
############################################################################### ###############################################################################
# Dummy variable to allow Ansible to accept this file. # Dummy variable to allow Ansible to accept this file.
workaround_ansible_issue_8743: yes workaround_ansible_issue_8743: yes

View File

@ -104,6 +104,27 @@
# singleplatform-eng.users role. # singleplatform-eng.users role.
#seed_hypervisor_users: #seed_hypervisor_users:
###############################################################################
# Seed hypervisor node firewalld configuration.
# Whether to install and enable firewalld.
#seed_hypervisor_firewalld_enabled:
# A list of zones to create. Each item is a dict containing a 'zone' item.
#seed_hypervisor_firewalld_zones:
# A firewalld zone to set as the default. Default is unset, in which case the
# default zone will not be changed.
#seed_hypervisor_firewalld_default_zone:
# A list of firewall rules to apply. Each item is a dict containing arguments
# to pass to the firewalld module. Arguments are omitted if not provided, with
# the following exceptions:
# - offline: true
# - permanent: true
# - state: enabled
#seed_hypervisor_firewalld_rules:
############################################################################### ###############################################################################
# Dummy variable to allow Ansible to accept this file. # Dummy variable to allow Ansible to accept this file.
workaround_ansible_issue_8743: yes workaround_ansible_issue_8743: yes

View File

@ -97,6 +97,27 @@
# #
#seed_containers: #seed_containers:
###############################################################################
# Seed node firewalld configuration.
# Whether to install and enable firewalld.
#seed_firewalld_enabled:
# A list of zones to create. Each item is a dict containing a 'zone' item.
#seed_firewalld_zones:
# A firewalld zone to set as the default. Default is unset, in which case the
# default zone will not be changed.
#seed_firewalld_default_zone:
# A list of firewall rules to apply. Each item is a dict containing arguments
# to pass to the firewalld module. Arguments are omitted if not provided, with
# the following exceptions:
# - offline: true
# - permanent: true
# - state: enabled
#seed_firewalld_rules:
############################################################################### ###############################################################################
# Dummy variable to allow Ansible to accept this file. # Dummy variable to allow Ansible to accept this file.
workaround_ansible_issue_8743: yes workaround_ansible_issue_8743: yes

View File

@ -120,6 +120,27 @@
# singleplatform-eng.users role. # singleplatform-eng.users role.
#storage_users: #storage_users:
###############################################################################
# Storage node firewalld configuration.
# Whether to install and enable firewalld.
#storage_firewalld_enabled:
# A list of zones to create. Each item is a dict containing a 'zone' item.
#storage_firewalld_zones:
# A firewalld zone to set as the default. Default is unset, in which case the
# default zone will not be changed.
#storage_firewalld_default_zone:
# A list of firewall rules to apply. Each item is a dict containing arguments
# to pass to the firewalld module. Arguments are omitted if not provided, with
# the following exceptions:
# - offline: true
# - permanent: true
# - state: enabled
#storage_firewalld_rules:
############################################################################### ###############################################################################
# Dummy variable to allow Ansible to accept this file. # Dummy variable to allow Ansible to accept this file.
workaround_ansible_issue_8743: yes workaround_ansible_issue_8743: yes

View File

@ -413,6 +413,7 @@ class SeedHypervisorHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin,
* Optionally, wipe unmounted disk partitions (--wipe-disks). * Optionally, wipe unmounted disk partitions (--wipe-disks).
* Configure user accounts, group associations, and authorised SSH keys. * Configure user accounts, group associations, and authorised SSH keys.
* Configure the host's network interfaces. * Configure the host's network interfaces.
* Configure a firewall.
* Set sysctl parameters. * Set sysctl parameters.
* Configure timezone and ntp. * Configure timezone and ntp.
* Optionally, configure software RAID arrays. * Optionally, configure software RAID arrays.
@ -453,7 +454,7 @@ class SeedHypervisorHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin,
if parsed_args.wipe_disks: if parsed_args.wipe_disks:
playbooks += _build_playbook_list("wipe-disks") playbooks += _build_playbook_list("wipe-disks")
playbooks += _build_playbook_list( playbooks += _build_playbook_list(
"users", "dev-tools", "network", "sysctl", "time", "users", "dev-tools", "network", "firewall", "sysctl", "time",
"mdadm", "luks", "lvm", "seed-hypervisor-libvirt-host") "mdadm", "luks", "lvm", "seed-hypervisor-libvirt-host")
self.run_kayobe_playbooks(parsed_args, playbooks, self.run_kayobe_playbooks(parsed_args, playbooks,
limit="seed-hypervisor") limit="seed-hypervisor")
@ -571,6 +572,7 @@ class SeedHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin,
* Configure user accounts, group associations, and authorised SSH keys. * Configure user accounts, group associations, and authorised SSH keys.
* Disable SELinux. * Disable SELinux.
* Configure the host's network interfaces. * Configure the host's network interfaces.
* Configure a firewall.
* Set sysctl parameters. * Set sysctl parameters.
* Configure IP routing and source NAT. * Configure IP routing and source NAT.
* Disable bootstrap interface configuration. * Disable bootstrap interface configuration.
@ -607,7 +609,7 @@ class SeedHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin,
if parsed_args.wipe_disks: if parsed_args.wipe_disks:
playbooks += _build_playbook_list("wipe-disks") playbooks += _build_playbook_list("wipe-disks")
playbooks += _build_playbook_list( playbooks += _build_playbook_list(
"users", "dev-tools", "disable-selinux", "network", "users", "dev-tools", "disable-selinux", "network", "firewall",
"sysctl", "ip-routing", "snat", "disable-glean", "time", "sysctl", "ip-routing", "snat", "disable-glean", "time",
"mdadm", "luks", "lvm", "docker-devicemapper", "mdadm", "luks", "lvm", "docker-devicemapper",
"kolla-ansible-user", "kolla-pip", "kolla-target-venv") "kolla-ansible-user", "kolla-pip", "kolla-target-venv")
@ -946,6 +948,7 @@ class OvercloudHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin,
* Configure user accounts, group associations, and authorised SSH keys. * Configure user accounts, group associations, and authorised SSH keys.
* Disable SELinux. * Disable SELinux.
* Configure the host's network interfaces. * Configure the host's network interfaces.
* Configure a firewall.
* Set sysctl parameters. * Set sysctl parameters.
* Disable bootstrap interface configuration. * Disable bootstrap interface configuration.
* Configure timezone and ntp. * Configure timezone and ntp.
@ -980,7 +983,7 @@ class OvercloudHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin,
if parsed_args.wipe_disks: if parsed_args.wipe_disks:
playbooks += _build_playbook_list("wipe-disks") playbooks += _build_playbook_list("wipe-disks")
playbooks += _build_playbook_list( playbooks += _build_playbook_list(
"users", "dev-tools", "disable-selinux", "network", "users", "dev-tools", "disable-selinux", "network", "firewall",
"sysctl", "disable-glean", "disable-cloud-init", "time", "sysctl", "disable-glean", "disable-cloud-init", "time",
"mdadm", "luks", "lvm", "docker-devicemapper", "mdadm", "luks", "lvm", "docker-devicemapper",
"kolla-ansible-user", "kolla-pip", "kolla-target-venv") "kolla-ansible-user", "kolla-pip", "kolla-target-venv")

View File

@ -324,6 +324,7 @@ class TestCase(unittest.TestCase):
utils.get_data_files_path("ansible", "users.yml"), utils.get_data_files_path("ansible", "users.yml"),
utils.get_data_files_path("ansible", "dev-tools.yml"), utils.get_data_files_path("ansible", "dev-tools.yml"),
utils.get_data_files_path("ansible", "network.yml"), utils.get_data_files_path("ansible", "network.yml"),
utils.get_data_files_path("ansible", "firewall.yml"),
utils.get_data_files_path("ansible", "sysctl.yml"), utils.get_data_files_path("ansible", "sysctl.yml"),
utils.get_data_files_path("ansible", "time.yml"), utils.get_data_files_path("ansible", "time.yml"),
utils.get_data_files_path("ansible", "mdadm.yml"), utils.get_data_files_path("ansible", "mdadm.yml"),
@ -496,6 +497,7 @@ class TestCase(unittest.TestCase):
utils.get_data_files_path( utils.get_data_files_path(
"ansible", "disable-selinux.yml"), "ansible", "disable-selinux.yml"),
utils.get_data_files_path("ansible", "network.yml"), utils.get_data_files_path("ansible", "network.yml"),
utils.get_data_files_path("ansible", "firewall.yml"),
utils.get_data_files_path("ansible", "sysctl.yml"), utils.get_data_files_path("ansible", "sysctl.yml"),
utils.get_data_files_path("ansible", "ip-routing.yml"), utils.get_data_files_path("ansible", "ip-routing.yml"),
utils.get_data_files_path("ansible", "snat.yml"), utils.get_data_files_path("ansible", "snat.yml"),
@ -1041,6 +1043,7 @@ class TestCase(unittest.TestCase):
utils.get_data_files_path( utils.get_data_files_path(
"ansible", "disable-selinux.yml"), "ansible", "disable-selinux.yml"),
utils.get_data_files_path("ansible", "network.yml"), utils.get_data_files_path("ansible", "network.yml"),
utils.get_data_files_path("ansible", "firewall.yml"),
utils.get_data_files_path("ansible", "sysctl.yml"), utils.get_data_files_path("ansible", "sysctl.yml"),
utils.get_data_files_path("ansible", "disable-glean.yml"), utils.get_data_files_path("ansible", "disable-glean.yml"),
utils.get_data_files_path( utils.get_data_files_path(

View File

@ -0,0 +1,5 @@
---
features:
- |
Adds support for configuring a firewall via firewalld on CentOS. See `story
2008991 <https://storyboard.openstack.org/#!/story/2008991>`__ for details.