diff --git a/ansible/install/group_vars/all.yml b/ansible/install/group_vars/all.yml index 314952c93..1b4e1c4f0 100644 --- a/ansible/install/group_vars/all.yml +++ b/ansible/install/group_vars/all.yml @@ -104,6 +104,12 @@ shaker_flavor: m1.small shaker_centos: "{{shaker_venv}}/lib/python2.7/site-packages/shaker/resources/image_builder_templates/centos.yaml" shaker_region: regionOne +####################################### +# Connman Configuration +####################################### +# Port for Connman +connmon_port: 5800 + ######################################## # Browbeat Network Configuration ######################################## diff --git a/ansible/install/roles/browbeat/tasks/main.yml b/ansible/install/roles/browbeat/tasks/main.yml index bc504dd58..c5876fdbc 100644 --- a/ansible/install/roles/browbeat/tasks/main.yml +++ b/ansible/install/roles/browbeat/tasks/main.yml @@ -88,18 +88,65 @@ - name: Install shaker pip: name=pyshaker version=0.0.10 virtualenv={{ shaker_venv }} -- name: Check for shaker port in iptables - shell: iptables -nvL | grep -q "dpt:"{{ shaker_port }}"" - become: true - changed_when: false - register: shaker_iptables +### begin firewall ### +# we need TCP/5555 open +# determine firewall status and take action +# 1) use firewall-cmd if firewalld is utilized +# 2) insert iptables rule if iptables is used + +# Firewalld +- name: (shaker) Determine if firewalld is in use + shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled' ignore_errors: true + register: firewalld_in_use + no_log: true -- name: Open up shaker port in iptables - shell: /usr/sbin/iptables -I INPUT 1 -p tcp --dport {{ shaker_port }} -j ACCEPT +- name: (shaker) Determine if firewalld is active + shell: systemctl is-active firewalld.service | grep -vq inactive + ignore_errors: true + register: firewalld_is_active + no_log: true + +- name: (shaker) Determine if TCP/{{shaker_port}} is already active + shell: firewall-cmd --list-ports | egrep -q "^{{shaker_port}}/tcp" + ignore_errors: true + register: firewalld_tcp{{shaker_port}}_exists + no_log: true + +# add firewall rule via firewall-cmd +- name: (shaker) Add firewall rule for TCP/{{shaker_port}} (firewalld) + command: "{{ item }}" + with_items: + - firewall-cmd --zone=public --add-port={{shaker_port}}/tcp --permanent + - firewall-cmd --reload + ignore_errors: true become: true - when: shaker_iptables.rc == 1 + when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp{{shaker_port}}_exists.rc != 0 +# iptables-services +- name: (shaker) check firewall rules for TCP/{{shaker_port}} (iptables-services) + shell: grep "dport {{shaker_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l + ignore_errors: true + register: iptables_tcp5555_exists + failed_when: iptables_tcp{{shaker_port}}_exists == 127 + no_log: true + +- name: (shaker) Add firewall rule for TCP/{{shaker_port}} (iptables-services) + lineinfile: + dest: /etc/sysconfig/iptables + line: '-A INPUT -p tcp -m tcp --dport {{shaker_port}} -j ACCEPT' + regexp: '^INPUT -i lo -j ACCEPT' + insertbefore: '-A INPUT -i lo -j ACCEPT' + backup: yes + when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp5555_exists.stdout|int == 0 + register: iptables_needs_restart + +- name: (shaker) Restart iptables-services for TCP/{{shaker_port}} (iptables-services) + shell: systemctl restart iptables.service + ignore_errors: true + when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 + +### end firewall ### # # Serve results out of httpd if results_in_httpd is set to true # diff --git a/ansible/install/roles/connmon/tasks/main.yml b/ansible/install/roles/connmon/tasks/main.yml index 07aa1cdc9..e245334ec 100644 --- a/ansible/install/roles/connmon/tasks/main.yml +++ b/ansible/install/roles/connmon/tasks/main.yml @@ -37,13 +37,62 @@ changed_when: false ignore_errors: true -- name: check iptables - shell: iptables -nvL | grep -q "dpt:5800" - changed_when: false - when: undercloud - register: connmon_port - ignore_errors: true +### begin firewall ### +# we need TCP/5555 open +# determine firewall status and take action +# 1) use firewall-cmd if firewalld is utilized +# 2) insert iptables rule if iptables is used -- name: open up iptables - shell: /usr/sbin/iptables -I INPUT 1 -p tcp --dport 5800 -j ACCEPT - when: undercloud and connmon_port.rc == 1 +# Firewalld +- name: (connmon) Determine if firewalld is in use + shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled' + ignore_errors: true + register: firewalld_in_use + no_log: true + +- name: (connmon) Determine if firewalld is active + shell: systemctl is-active firewalld.service | grep -vq inactive + ignore_errors: true + register: firewalld_is_active + no_log: true + +- name: (connmon) Determine if TCP/{{connmon_port}} is already active + shell: firewall-cmd --list-ports | egrep -q "^{{connmon_port}}/tcp" + ignore_errors: true + register: firewalld_tcp{{connmon_port}}_exists + no_log: true + +# add firewall rule via firewall-cmd +- name: (connmon) Add firewall rule for TCP/{{connmon_port}} (firewalld) + command: "{{ item }}" + with_items: + - firewall-cmd --zone=public --add-port={{connmon_port}}/tcp --permanent + - firewall-cmd --reload + ignore_errors: true + become: true + when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp{{connmon_port}}_exists.rc != 0 + +# iptables-services +- name: (connmon) check firewall rules for TCP/{{connmon_port}} (iptables-services) + shell: grep "dport {{connmon_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l + ignore_errors: true + register: iptables_tcp5800_exists + failed_when: iptables_tcp{{connmon_port}}_exists == 127 + no_log: true + +- name: (connmon) Add firewall rule for TCP/{{connmon_port}} (iptables-services) + lineinfile: + dest: /etc/sysconfig/iptables + line: '-A INPUT -p tcp -m tcp --dport {{connmon_port}} -j ACCEPT' + regexp: '^INPUT -i lo -j ACCEPT' + insertbefore: '-A INPUT -i lo -j ACCEPT' + backup: yes + when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp5800_exists.stdout|int == 0 + register: iptables_needs_restart + +- name: (connmon) Restart iptables-services for TCP/{{connmon_port}} (iptables-services) + shell: systemctl restart iptables.service + ignore_errors: true + when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 + +### end firewall ###