From 46ccb9184100cac21b02b64a6c133a12baef71d1 Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Fri, 23 Jun 2017 08:18:05 -0500
Subject: [PATCH] [Docs] Recommendations for firewalld

This docs patch recommends that deployers disable firewalld on their
deployments until rulesets can be developed.

Related-bug: 1657518
Change-Id: I3b8030fde4edc35145ad42ba59a6721631fddcd7
---
 deploy-guide/source/deploymenthost.rst | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/deploy-guide/source/deploymenthost.rst b/deploy-guide/source/deploymenthost.rst
index 9cb472f477..83f4fb08cd 100644
--- a/deploy-guide/source/deploymenthost.rst
+++ b/deploy-guide/source/deploymenthost.rst
@@ -85,6 +85,23 @@ Before you begin, we recommend upgrading your system packages and kernel.
 
 #. Configure NTP to synchronize with a suitable time source.
 
+#. The ``firewalld`` service is enabled on most CentOS systems by default and
+   its default ruleset prevents OpenStack components from communicating
+   properly. Stop the ``firewalld`` service and mask it to prevent it from
+   starting:
+
+   .. code-block:: shell-session
+
+       # systemctl stop firewalld
+       # systemctl mask firewalld
+
+.. note::
+
+    There is `future work planned <https://bugs.launchpad.net/openstack-ansible/+bug/1657518>`_
+    to create proper firewall rules for OpenStack services in OpenStack-Ansible
+    deployments. Until that work is complete, deployers must maintain their
+    own firewall rulesets or disable the firewall entirely.
+
 Configure the network
 ~~~~~~~~~~~~~~~~~~~~~