Fix firewall variables, remove minor lines

* Apply @akrzos fix for firewall variabilization, make
  firewall register values a static string so port values
  are truly variablized.
* Remove one small, unneeded section doing an unecessary
  lookup for firewall method since we run this earlier on.

Change-Id: Ia29781072d1babc1d71b71345ceb798356c219f5
This commit is contained in:
Will Foster 2016-09-09 17:08:36 +01:00
parent 4832550256
commit 5095ffad73
7 changed files with 46 additions and 67 deletions

View File

@ -65,7 +65,7 @@
- name: (connmon) Determine if TCP/{{connmon_port}} is already active
shell: firewall-cmd --list-ports | egrep -q "^{{connmon_port}}/tcp"
ignore_errors: true
register: firewalld_tcp{{connmon_port}}_exists
register: firewalld_connmon_port_exists
no_log: true
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
@ -80,15 +80,15 @@
- firewall-cmd --reload
ignore_errors: true
become: true
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp{{connmon_port}}_exists.rc != 0
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_connmon_port_exists.rc != 0
# iptables-services
- name: (connmon) check firewall rules for TCP/{{connmon_port}} (iptables-services)
shell: grep "dport {{connmon_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
ignore_errors: true
become: true
register: iptables_tcp5800_exists
failed_when: iptables_tcp{{connmon_port}}_exists == 127
register: iptables_connmon_port_exists
failed_when: iptables_connmon_port_exists == 127
no_log: true
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
@ -103,7 +103,7 @@
insertbefore: '-A INPUT -i lo -j ACCEPT'
backup: yes
become: true
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp5800_exists.stdout|int == 0
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_connmon_port_exists.stdout|int == 0
register: iptables_needs_restart
- name: (connmon) Restart iptables-services for TCP/{{connmon_port}} (iptables-services)

View File

@ -66,7 +66,7 @@
- name: Determine if TCP/{{es_local_port}} is already active
shell: firewall-cmd --list-ports | egrep -q "^{{es_local_port}}/tcp"
ignore_errors: true
register: firewalld_tcp9200_exists
register: firewalld_es_local_port_exists
no_log: true
when: es_listen_external
@ -78,14 +78,14 @@
- firewall-cmd --reload
ignore_errors: true
become: true
when: es_listen_external and firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp9200_exists.rc != 0
when: es_listen_external and firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_es_local_port_exists.rc != 0
# iptables-services
- name: check firewall rules for TCP/{{es_local_port}} (iptables-services)
shell: grep "dport {{es_local_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
ignore_errors: true
register: iptables_tcp9200_exists
failed_when: iptables_tcp9200_exists == 127
register: iptables_es_local_port_exists
failed_when: iptables_es_local_port_exists == 127
no_log: true
when: es_listen_external
@ -96,7 +96,7 @@
regexp: '^INPUT -i lo -j ACCEPT'
insertbefore: '-A INPUT -i lo -j ACCEPT'
backup: yes
when: es_listen_external and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp9200_exists.stdout|int == 0
when: es_listen_external and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_es_local_port_exists.stdout|int == 0
register: iptables_needs_restart
- name: Restart iptables-services for TCP/{{es_local_port}} (iptables-services)

View File

@ -63,7 +63,7 @@
- name: Determine if TCP/{{fluentd_syslog_port}} is already active
shell: firewall-cmd --list-ports | egrep -q "^{{fluentd_syslog_port}}/tcp"
ignore_errors: true
register: firewalld_tcp42185_exists
register: firewalld_fluentd_syslog_port_exists
no_log: true
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
@ -78,14 +78,14 @@
- firewall-cmd --reload
ignore_errors: true
become: true
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp42185_exists.rc != 0
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_fluentd_syslog_port_exists.rc != 0
# iptables-services
- name: check firewall rules for TCP/{{fluentd_syslog_port}} (iptables-services)
shell: grep "dport {{fluentd_syslog_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
ignore_errors: true
register: iptables_tcp42185_exists
failed_when: iptables_tcp42185_exists == 127
register: iptables_fluentd_syslog_port_exists
failed_when: iptables_fluentd_syslog_port_exists == 127
no_log: true
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
@ -99,7 +99,7 @@
regexp: '^INPUT -i lo -j ACCEPT'
insertbefore: '-A INPUT -i lo -j ACCEPT'
backup: yes
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp42185_exists.stdout|int == 0
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_fluentd_syslog_port_exists.stdout|int == 0
register: iptables_needs_restart
- name: Restart iptables-services for TCP/{{fluentd_syslog_port}} (iptables-services)
@ -114,7 +114,7 @@
- name: Determine if TCP/{{fluentd_http_port}} is already active
shell: firewall-cmd --list-ports | egrep -q "^{{fluentd_http_port}}/tcp"
ignore_errors: true
register: firewalld_tcp9919_exists
register: firewalld_fluentd_http_port_exists
no_log: true
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
@ -129,14 +129,14 @@
- firewall-cmd --reload
ignore_errors: true
become: true
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp9919_exists.rc != 0
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_fluentd_http_port_exists.rc != 0
# iptables-services
- name: check firewall rules for TCP/{{fluentd_http_port}} (iptables-services)
shell: grep "dport {{fluentd_http_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
ignore_errors: true
register: iptables_tcp9919_exists
failed_when: iptables_tcp9919_exists == 127
register: iptables_fluentd_http_port_exists
failed_when: iptables_fluentd_http_port_exists == 127
no_log: true
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
@ -150,7 +150,7 @@
regexp: '^INPUT -i lo -j ACCEPT'
insertbefore: '-A INPUT -i lo -j ACCEPT'
backup: yes
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp9919_exists.stdout|int == 0
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_fluentd_http_port_exists.stdout|int == 0
register: iptables_needs_restart
- name: Restart iptables-services for TCP/{{fluentd_http_port}} (iptables-services)

View File

@ -73,7 +73,7 @@
- name: (grafana) Determine if TCP/{{grafana_port}} is already active
shell: firewall-cmd --list-ports | egrep -q "^{{grafana_port}}/tcp"
ignore_errors: true
register: firewalld_tcp{{grafana_port}}_exists
register: firewalld_grafana_port_exists
no_log: true
tags:
# Skip ANSIBLE0012] Commands should not change things if nothing needs doing
@ -88,14 +88,14 @@
- firewall-cmd --reload
ignore_errors: true
become: true
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp{{grafana_port}}_exists.rc != 0
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_grafana_port_exists.rc != 0
# iptables-services
- name: (grafana) check firewall rules for TCP/{{grafana_port}} (iptables-services)
shell: grep "dport {{grafana_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
ignore_errors: true
register: iptables_tcp3000_exists
failed_when: iptables_tcp{{grafana_port}}_exists == 127
register: iptables_grafana_port_exists
failed_when: iptables_grafana_port_exists == 127
no_log: true
tags:
# Skip ANSIBLE0012] Commands should not change things if nothing needs doing
@ -109,11 +109,10 @@
regexp: '^INPUT -i lo -j ACCEPT'
insertbefore: '-A INPUT -i lo -j ACCEPT'
backup: yes
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp3000_exists.stdout|int == 0
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_grafana_port_exists.stdout|int == 0
register: iptables_needs_restart
- name: (grafana) Restart iptables-services for TCP/{{grafana_port}} (iptables-services)
# TODO: replace with systemd module when Ansible 2.2 is the foundation
command: systemctl restart iptables.service
ignore_errors: true
when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0

View File

@ -63,7 +63,7 @@
- name: (graphite-web) Determine if TCP/{{graphite_port}} is already active
shell: firewall-cmd --list-ports | egrep -q "^{{graphite_port}}/tcp"
ignore_errors: true
register: firewalld_tcp{{graphite_port}}_exists
register: firewalld_graphite_port_exists
no_log: true
# add firewall rule via firewall-cmd
@ -74,14 +74,14 @@
- firewall-cmd --reload
ignore_errors: true
become: true
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp{{graphite_port}}_exists.rc != 0
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_graphite_port_exists.rc != 0
# iptables-services
- name: (graphite-web) check firewall rules for TCP/{{graphite_port}} (iptables-services)
shell: grep "dport {{graphite_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
ignore_errors: true
register: iptables_tcp80_exists
failed_when: iptables_tcp{{graphite_port}}_exists == 127
register: iptables_graphite_port_exists
failed_when: iptables_graphite_port_exists == 127
no_log: true
- name: (graphite-web) Add firewall rule for TCP/{{graphite_port}} (iptables-services)
@ -91,7 +91,7 @@
regexp: '^INPUT -i lo -j ACCEPT'
insertbefore: '-A INPUT -i lo -j ACCEPT'
backup: yes
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp80_exists.stdout|int == 0
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_graphite_port_exists.stdout|int == 0
register: iptables_needs_restart
- name: (graphite-web) Restart iptables-services for TCP/{{graphite_port}} (iptables-services)

View File

@ -131,7 +131,7 @@
- name: Determine if TCP/{{logstash_syslog_port}} is already active
shell: firewall-cmd --list-ports | egrep -q "^{{logstash_syslog_port}}/tcp"
ignore_errors: true
register: firewalld_tcp{{logstash_syslog_port}}_exists
register: firewalld_logstash_syslog_port_exists
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
# Need to validate if port already configured
@ -145,14 +145,14 @@
- firewall-cmd --reload
ignore_errors: true
become: true
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp{{logstash_syslog_port}}_exists.rc != 0
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_logstash_syslog_port_exists.rc != 0
# iptables-services
- name: check firewall rules for TCP/{{logstash_syslog_port}} (iptables-services)
shell: grep "dport {{logstash_syslog_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
ignore_errors: true
register: iptables_tcp5044_exists
failed_when: iptables_tcp{{logstash_syslog_port}}_exists == 127
register: iptables_logstash_syslog_port_exists
failed_when: iptables_logstash_syslog_port_exists == 127
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
# Need to validate if port already configured
@ -165,7 +165,7 @@
regexp: '^INPUT -i lo -j ACCEPT'
insertbefore: '-A INPUT -i lo -j ACCEPT'
backup: yes
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp5044_exists.stdout|int == 0
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_logstash_syslog_port_exists.stdout|int == 0
register: iptables_needs_restart
- name: Restart iptables-services for TCP/{{logstash_syslog_port}} (iptables-services)

View File

@ -34,7 +34,7 @@
register: nginx_needs_restart
# deploy basic nginx.conf 8080 vhost
- name: Setup nginx TCP/8080 vhost for SSL certificate
- name: Setup nginx TCP/{{elk_server_ssl_cert_port}} for SSL certificate retrieval
template:
src=nginx.conf.j2
dest=/etc/nginx/nginx.conf
@ -92,7 +92,7 @@
- name: Determine if TCP/{{nginx_kibana_port}} is already active
shell: firewall-cmd --list-ports | egrep -q "^{{nginx_kibana_port}}/tcp"
ignore_errors: true
register: firewalld_tcp80_exists
register: firewalld_nginx_kibana_port_exists
no_log: true
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
@ -107,14 +107,14 @@
- firewall-cmd --reload
ignore_errors: true
become: true
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp80_exists.rc != 0
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_nginx_kibana_port_exists.rc != 0
# iptables-services
- name: check firewall rules for TCP/{{nginx_kibana_port}} (iptables-services)
shell: grep "dport {{nginx_kibana_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
ignore_errors: true
register: iptables_tcp80_exists
failed_when: iptables_tcp80_exists == 127
register: iptables_nginx_kibana_port_exists
failed_when: iptables_nginx_kibana_port_exists == 127
no_log: true
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
@ -128,7 +128,7 @@
regexp: '^INPUT -i lo -j ACCEPT'
insertbefore: '-A INPUT -i lo -j ACCEPT'
backup: yes
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp80_exists.stdout|int == 0
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_nginx_kibana_port_exists.stdout|int == 0
register: iptables_needs_restart
- name: Restart iptables-services for TCP/{{nginx_kibana_port}} (iptables-services)
@ -141,30 +141,10 @@
- skip_ansible_lint
# Firewalld
- name: Determine if firewalld is in use
shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
ignore_errors: true
register: firewalld_in_use
no_log: true
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
# Need to check if firewall is active
- skip_ansible_lint
- name: Determine if firewalld is active
shell: systemctl is-active firewalld.service | grep -vq inactive
ignore_errors: true
register: firewalld_is_active
no_log: true
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
# Need to check if firewall is active
- skip_ansible_lint
- name: Determine if TCP/{{elk_server_ssl_cert_port}} is already active
shell: firewall-cmd --list-ports | egrep -q "^{{elk_server_ssl_cert_port}}/tcp"
ignore_errors: true
register: firewalld_tcp8080_exists
register: firewalld_elk_server_ssl_port_exists
no_log: true
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
@ -179,14 +159,14 @@
- firewall-cmd --reload
ignore_errors: true
become: true
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp8080_exists.rc != 0
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_elk_server_ssl_port_exists.rc != 0
# iptables-services
- name: check firewall rules for TCP/{{elk_server_ssl_cert_port}} (iptables-services)
shell: grep "dport {{elk_server_ssl_cert_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
ignore_errors: true
register: iptables_tcp8080_exists
failed_when: iptables_tcp8080_exists == 127
register: iptables_elk_server_ssl_port_exists
failed_when: iptables_elk_server_ssl_port_exists == 127
no_log: true
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
@ -200,7 +180,7 @@
regexp: '^INPUT -i lo -j ACCEPT'
insertbefore: '-A INPUT -i lo -j ACCEPT'
backup: yes
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp8080_exists.stdout|int == 0
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_elk_server_ssl_port_exists.stdout|int == 0
register: iptables_needs_restart
- name: Restart iptables-services for TCP/{{elk_server_ssl_cert_port}} (iptables-services)