Fix firewall variables, remove minor lines
* Apply @akrzos fix for firewall variabilization, make firewall register values a static string so port values are truly variablized. * Remove one small, unneeded section doing an unecessary lookup for firewall method since we run this earlier on. Change-Id: Ia29781072d1babc1d71b71345ceb798356c219f5
This commit is contained in:
parent
4832550256
commit
5095ffad73
@ -65,7 +65,7 @@
|
||||
- name: (connmon) Determine if TCP/{{connmon_port}} is already active
|
||||
shell: firewall-cmd --list-ports | egrep -q "^{{connmon_port}}/tcp"
|
||||
ignore_errors: true
|
||||
register: firewalld_tcp{{connmon_port}}_exists
|
||||
register: firewalld_connmon_port_exists
|
||||
no_log: true
|
||||
tags:
|
||||
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||
@ -80,15 +80,15 @@
|
||||
- firewall-cmd --reload
|
||||
ignore_errors: true
|
||||
become: true
|
||||
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp{{connmon_port}}_exists.rc != 0
|
||||
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_connmon_port_exists.rc != 0
|
||||
|
||||
# iptables-services
|
||||
- name: (connmon) check firewall rules for TCP/{{connmon_port}} (iptables-services)
|
||||
shell: grep "dport {{connmon_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
|
||||
ignore_errors: true
|
||||
become: true
|
||||
register: iptables_tcp5800_exists
|
||||
failed_when: iptables_tcp{{connmon_port}}_exists == 127
|
||||
register: iptables_connmon_port_exists
|
||||
failed_when: iptables_connmon_port_exists == 127
|
||||
no_log: true
|
||||
tags:
|
||||
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||
@ -103,7 +103,7 @@
|
||||
insertbefore: '-A INPUT -i lo -j ACCEPT'
|
||||
backup: yes
|
||||
become: true
|
||||
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp5800_exists.stdout|int == 0
|
||||
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_connmon_port_exists.stdout|int == 0
|
||||
register: iptables_needs_restart
|
||||
|
||||
- name: (connmon) Restart iptables-services for TCP/{{connmon_port}} (iptables-services)
|
||||
|
@ -66,7 +66,7 @@
|
||||
- name: Determine if TCP/{{es_local_port}} is already active
|
||||
shell: firewall-cmd --list-ports | egrep -q "^{{es_local_port}}/tcp"
|
||||
ignore_errors: true
|
||||
register: firewalld_tcp9200_exists
|
||||
register: firewalld_es_local_port_exists
|
||||
no_log: true
|
||||
when: es_listen_external
|
||||
|
||||
@ -78,14 +78,14 @@
|
||||
- firewall-cmd --reload
|
||||
ignore_errors: true
|
||||
become: true
|
||||
when: es_listen_external and firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp9200_exists.rc != 0
|
||||
when: es_listen_external and firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_es_local_port_exists.rc != 0
|
||||
|
||||
# iptables-services
|
||||
- name: check firewall rules for TCP/{{es_local_port}} (iptables-services)
|
||||
shell: grep "dport {{es_local_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
|
||||
ignore_errors: true
|
||||
register: iptables_tcp9200_exists
|
||||
failed_when: iptables_tcp9200_exists == 127
|
||||
register: iptables_es_local_port_exists
|
||||
failed_when: iptables_es_local_port_exists == 127
|
||||
no_log: true
|
||||
when: es_listen_external
|
||||
|
||||
@ -96,7 +96,7 @@
|
||||
regexp: '^INPUT -i lo -j ACCEPT'
|
||||
insertbefore: '-A INPUT -i lo -j ACCEPT'
|
||||
backup: yes
|
||||
when: es_listen_external and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp9200_exists.stdout|int == 0
|
||||
when: es_listen_external and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_es_local_port_exists.stdout|int == 0
|
||||
register: iptables_needs_restart
|
||||
|
||||
- name: Restart iptables-services for TCP/{{es_local_port}} (iptables-services)
|
||||
|
@ -63,7 +63,7 @@
|
||||
- name: Determine if TCP/{{fluentd_syslog_port}} is already active
|
||||
shell: firewall-cmd --list-ports | egrep -q "^{{fluentd_syslog_port}}/tcp"
|
||||
ignore_errors: true
|
||||
register: firewalld_tcp42185_exists
|
||||
register: firewalld_fluentd_syslog_port_exists
|
||||
no_log: true
|
||||
tags:
|
||||
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||
@ -78,14 +78,14 @@
|
||||
- firewall-cmd --reload
|
||||
ignore_errors: true
|
||||
become: true
|
||||
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp42185_exists.rc != 0
|
||||
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_fluentd_syslog_port_exists.rc != 0
|
||||
|
||||
# iptables-services
|
||||
- name: check firewall rules for TCP/{{fluentd_syslog_port}} (iptables-services)
|
||||
shell: grep "dport {{fluentd_syslog_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
|
||||
ignore_errors: true
|
||||
register: iptables_tcp42185_exists
|
||||
failed_when: iptables_tcp42185_exists == 127
|
||||
register: iptables_fluentd_syslog_port_exists
|
||||
failed_when: iptables_fluentd_syslog_port_exists == 127
|
||||
no_log: true
|
||||
tags:
|
||||
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||
@ -99,7 +99,7 @@
|
||||
regexp: '^INPUT -i lo -j ACCEPT'
|
||||
insertbefore: '-A INPUT -i lo -j ACCEPT'
|
||||
backup: yes
|
||||
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp42185_exists.stdout|int == 0
|
||||
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_fluentd_syslog_port_exists.stdout|int == 0
|
||||
register: iptables_needs_restart
|
||||
|
||||
- name: Restart iptables-services for TCP/{{fluentd_syslog_port}} (iptables-services)
|
||||
@ -114,7 +114,7 @@
|
||||
- name: Determine if TCP/{{fluentd_http_port}} is already active
|
||||
shell: firewall-cmd --list-ports | egrep -q "^{{fluentd_http_port}}/tcp"
|
||||
ignore_errors: true
|
||||
register: firewalld_tcp9919_exists
|
||||
register: firewalld_fluentd_http_port_exists
|
||||
no_log: true
|
||||
tags:
|
||||
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||
@ -129,14 +129,14 @@
|
||||
- firewall-cmd --reload
|
||||
ignore_errors: true
|
||||
become: true
|
||||
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp9919_exists.rc != 0
|
||||
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_fluentd_http_port_exists.rc != 0
|
||||
|
||||
# iptables-services
|
||||
- name: check firewall rules for TCP/{{fluentd_http_port}} (iptables-services)
|
||||
shell: grep "dport {{fluentd_http_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
|
||||
ignore_errors: true
|
||||
register: iptables_tcp9919_exists
|
||||
failed_when: iptables_tcp9919_exists == 127
|
||||
register: iptables_fluentd_http_port_exists
|
||||
failed_when: iptables_fluentd_http_port_exists == 127
|
||||
no_log: true
|
||||
tags:
|
||||
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||
@ -150,7 +150,7 @@
|
||||
regexp: '^INPUT -i lo -j ACCEPT'
|
||||
insertbefore: '-A INPUT -i lo -j ACCEPT'
|
||||
backup: yes
|
||||
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp9919_exists.stdout|int == 0
|
||||
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_fluentd_http_port_exists.stdout|int == 0
|
||||
register: iptables_needs_restart
|
||||
|
||||
- name: Restart iptables-services for TCP/{{fluentd_http_port}} (iptables-services)
|
||||
|
@ -73,7 +73,7 @@
|
||||
- name: (grafana) Determine if TCP/{{grafana_port}} is already active
|
||||
shell: firewall-cmd --list-ports | egrep -q "^{{grafana_port}}/tcp"
|
||||
ignore_errors: true
|
||||
register: firewalld_tcp{{grafana_port}}_exists
|
||||
register: firewalld_grafana_port_exists
|
||||
no_log: true
|
||||
tags:
|
||||
# Skip ANSIBLE0012] Commands should not change things if nothing needs doing
|
||||
@ -88,14 +88,14 @@
|
||||
- firewall-cmd --reload
|
||||
ignore_errors: true
|
||||
become: true
|
||||
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp{{grafana_port}}_exists.rc != 0
|
||||
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_grafana_port_exists.rc != 0
|
||||
|
||||
# iptables-services
|
||||
- name: (grafana) check firewall rules for TCP/{{grafana_port}} (iptables-services)
|
||||
shell: grep "dport {{grafana_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
|
||||
ignore_errors: true
|
||||
register: iptables_tcp3000_exists
|
||||
failed_when: iptables_tcp{{grafana_port}}_exists == 127
|
||||
register: iptables_grafana_port_exists
|
||||
failed_when: iptables_grafana_port_exists == 127
|
||||
no_log: true
|
||||
tags:
|
||||
# Skip ANSIBLE0012] Commands should not change things if nothing needs doing
|
||||
@ -109,11 +109,10 @@
|
||||
regexp: '^INPUT -i lo -j ACCEPT'
|
||||
insertbefore: '-A INPUT -i lo -j ACCEPT'
|
||||
backup: yes
|
||||
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp3000_exists.stdout|int == 0
|
||||
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_grafana_port_exists.stdout|int == 0
|
||||
register: iptables_needs_restart
|
||||
|
||||
- name: (grafana) Restart iptables-services for TCP/{{grafana_port}} (iptables-services)
|
||||
# TODO: replace with systemd module when Ansible 2.2 is the foundation
|
||||
command: systemctl restart iptables.service
|
||||
ignore_errors: true
|
||||
when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
|
||||
|
@ -63,7 +63,7 @@
|
||||
- name: (graphite-web) Determine if TCP/{{graphite_port}} is already active
|
||||
shell: firewall-cmd --list-ports | egrep -q "^{{graphite_port}}/tcp"
|
||||
ignore_errors: true
|
||||
register: firewalld_tcp{{graphite_port}}_exists
|
||||
register: firewalld_graphite_port_exists
|
||||
no_log: true
|
||||
|
||||
# add firewall rule via firewall-cmd
|
||||
@ -74,14 +74,14 @@
|
||||
- firewall-cmd --reload
|
||||
ignore_errors: true
|
||||
become: true
|
||||
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp{{graphite_port}}_exists.rc != 0
|
||||
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_graphite_port_exists.rc != 0
|
||||
|
||||
# iptables-services
|
||||
- name: (graphite-web) check firewall rules for TCP/{{graphite_port}} (iptables-services)
|
||||
shell: grep "dport {{graphite_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
|
||||
ignore_errors: true
|
||||
register: iptables_tcp80_exists
|
||||
failed_when: iptables_tcp{{graphite_port}}_exists == 127
|
||||
register: iptables_graphite_port_exists
|
||||
failed_when: iptables_graphite_port_exists == 127
|
||||
no_log: true
|
||||
|
||||
- name: (graphite-web) Add firewall rule for TCP/{{graphite_port}} (iptables-services)
|
||||
@ -91,7 +91,7 @@
|
||||
regexp: '^INPUT -i lo -j ACCEPT'
|
||||
insertbefore: '-A INPUT -i lo -j ACCEPT'
|
||||
backup: yes
|
||||
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp80_exists.stdout|int == 0
|
||||
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_graphite_port_exists.stdout|int == 0
|
||||
register: iptables_needs_restart
|
||||
|
||||
- name: (graphite-web) Restart iptables-services for TCP/{{graphite_port}} (iptables-services)
|
||||
|
@ -131,7 +131,7 @@
|
||||
- name: Determine if TCP/{{logstash_syslog_port}} is already active
|
||||
shell: firewall-cmd --list-ports | egrep -q "^{{logstash_syslog_port}}/tcp"
|
||||
ignore_errors: true
|
||||
register: firewalld_tcp{{logstash_syslog_port}}_exists
|
||||
register: firewalld_logstash_syslog_port_exists
|
||||
tags:
|
||||
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||
# Need to validate if port already configured
|
||||
@ -145,14 +145,14 @@
|
||||
- firewall-cmd --reload
|
||||
ignore_errors: true
|
||||
become: true
|
||||
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp{{logstash_syslog_port}}_exists.rc != 0
|
||||
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_logstash_syslog_port_exists.rc != 0
|
||||
|
||||
# iptables-services
|
||||
- name: check firewall rules for TCP/{{logstash_syslog_port}} (iptables-services)
|
||||
shell: grep "dport {{logstash_syslog_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
|
||||
ignore_errors: true
|
||||
register: iptables_tcp5044_exists
|
||||
failed_when: iptables_tcp{{logstash_syslog_port}}_exists == 127
|
||||
register: iptables_logstash_syslog_port_exists
|
||||
failed_when: iptables_logstash_syslog_port_exists == 127
|
||||
tags:
|
||||
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||
# Need to validate if port already configured
|
||||
@ -165,7 +165,7 @@
|
||||
regexp: '^INPUT -i lo -j ACCEPT'
|
||||
insertbefore: '-A INPUT -i lo -j ACCEPT'
|
||||
backup: yes
|
||||
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp5044_exists.stdout|int == 0
|
||||
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_logstash_syslog_port_exists.stdout|int == 0
|
||||
register: iptables_needs_restart
|
||||
|
||||
- name: Restart iptables-services for TCP/{{logstash_syslog_port}} (iptables-services)
|
||||
|
@ -34,7 +34,7 @@
|
||||
register: nginx_needs_restart
|
||||
|
||||
# deploy basic nginx.conf 8080 vhost
|
||||
- name: Setup nginx TCP/8080 vhost for SSL certificate
|
||||
- name: Setup nginx TCP/{{elk_server_ssl_cert_port}} for SSL certificate retrieval
|
||||
template:
|
||||
src=nginx.conf.j2
|
||||
dest=/etc/nginx/nginx.conf
|
||||
@ -92,7 +92,7 @@
|
||||
- name: Determine if TCP/{{nginx_kibana_port}} is already active
|
||||
shell: firewall-cmd --list-ports | egrep -q "^{{nginx_kibana_port}}/tcp"
|
||||
ignore_errors: true
|
||||
register: firewalld_tcp80_exists
|
||||
register: firewalld_nginx_kibana_port_exists
|
||||
no_log: true
|
||||
tags:
|
||||
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||
@ -107,14 +107,14 @@
|
||||
- firewall-cmd --reload
|
||||
ignore_errors: true
|
||||
become: true
|
||||
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp80_exists.rc != 0
|
||||
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_nginx_kibana_port_exists.rc != 0
|
||||
|
||||
# iptables-services
|
||||
- name: check firewall rules for TCP/{{nginx_kibana_port}} (iptables-services)
|
||||
shell: grep "dport {{nginx_kibana_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
|
||||
ignore_errors: true
|
||||
register: iptables_tcp80_exists
|
||||
failed_when: iptables_tcp80_exists == 127
|
||||
register: iptables_nginx_kibana_port_exists
|
||||
failed_when: iptables_nginx_kibana_port_exists == 127
|
||||
no_log: true
|
||||
tags:
|
||||
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||
@ -128,7 +128,7 @@
|
||||
regexp: '^INPUT -i lo -j ACCEPT'
|
||||
insertbefore: '-A INPUT -i lo -j ACCEPT'
|
||||
backup: yes
|
||||
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp80_exists.stdout|int == 0
|
||||
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_nginx_kibana_port_exists.stdout|int == 0
|
||||
register: iptables_needs_restart
|
||||
|
||||
- name: Restart iptables-services for TCP/{{nginx_kibana_port}} (iptables-services)
|
||||
@ -141,30 +141,10 @@
|
||||
- skip_ansible_lint
|
||||
|
||||
# Firewalld
|
||||
- name: Determine if firewalld is in use
|
||||
shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
|
||||
ignore_errors: true
|
||||
register: firewalld_in_use
|
||||
no_log: true
|
||||
tags:
|
||||
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||
# Need to check if firewall is active
|
||||
- skip_ansible_lint
|
||||
|
||||
- name: Determine if firewalld is active
|
||||
shell: systemctl is-active firewalld.service | grep -vq inactive
|
||||
ignore_errors: true
|
||||
register: firewalld_is_active
|
||||
no_log: true
|
||||
tags:
|
||||
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||
# Need to check if firewall is active
|
||||
- skip_ansible_lint
|
||||
|
||||
- name: Determine if TCP/{{elk_server_ssl_cert_port}} is already active
|
||||
shell: firewall-cmd --list-ports | egrep -q "^{{elk_server_ssl_cert_port}}/tcp"
|
||||
ignore_errors: true
|
||||
register: firewalld_tcp8080_exists
|
||||
register: firewalld_elk_server_ssl_port_exists
|
||||
no_log: true
|
||||
tags:
|
||||
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||
@ -179,14 +159,14 @@
|
||||
- firewall-cmd --reload
|
||||
ignore_errors: true
|
||||
become: true
|
||||
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp8080_exists.rc != 0
|
||||
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_elk_server_ssl_port_exists.rc != 0
|
||||
|
||||
# iptables-services
|
||||
- name: check firewall rules for TCP/{{elk_server_ssl_cert_port}} (iptables-services)
|
||||
shell: grep "dport {{elk_server_ssl_cert_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
|
||||
ignore_errors: true
|
||||
register: iptables_tcp8080_exists
|
||||
failed_when: iptables_tcp8080_exists == 127
|
||||
register: iptables_elk_server_ssl_port_exists
|
||||
failed_when: iptables_elk_server_ssl_port_exists == 127
|
||||
no_log: true
|
||||
tags:
|
||||
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||
@ -200,7 +180,7 @@
|
||||
regexp: '^INPUT -i lo -j ACCEPT'
|
||||
insertbefore: '-A INPUT -i lo -j ACCEPT'
|
||||
backup: yes
|
||||
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp8080_exists.stdout|int == 0
|
||||
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_elk_server_ssl_port_exists.stdout|int == 0
|
||||
register: iptables_needs_restart
|
||||
|
||||
- name: Restart iptables-services for TCP/{{elk_server_ssl_cert_port}} (iptables-services)
|
||||
|
Loading…
Reference in New Issue
Block a user