From 6c5349d8970d9767cde68eab3a2b58f644453795 Mon Sep 17 00:00:00 2001
From: Russell Teague <rteague@redhat.com>
Date: Wed, 16 Nov 2016 14:15:52 -0500
Subject: Refactor os_firewall role
* Remove unneeded tasks duplicated by new module functionality
* Ansible systemd module has 'masked' and 'daemon_reload' options
* Ansible firewalld module has 'immediate' option
---
roles/os_firewall/README.md | 2 +-
roles/os_firewall/meta/main.yml | 10 ++--
roles/os_firewall/tasks/firewall/firewalld.yml | 65 +++++---------------------
roles/os_firewall/tasks/firewall/iptables.yml | 54 ++++-----------------
4 files changed, 26 insertions(+), 105 deletions(-)
(limited to 'roles/os_firewall')
diff --git a/roles/os_firewall/README.md b/roles/os_firewall/README.md
index c6c70b81d..bb7fc2384 100644
--- a/roles/os_firewall/README.md
+++ b/roles/os_firewall/README.md
@@ -31,7 +31,6 @@ Use iptables and open tcp ports 80 and 443:
---
- hosts: servers
vars:
- os_firewall_use_firewalld: false
os_firewall_allow:
- service: httpd
port: 80/tcp
@@ -46,6 +45,7 @@ Use firewalld and open tcp port 443 and close previously open tcp port 80:
---
- hosts: servers
vars:
+ os_firewall_use_firewalld: true
os_firewall_allow:
- service: https
port: 443/tcp
diff --git a/roles/os_firewall/meta/main.yml b/roles/os_firewall/meta/main.yml
index 6df7c9f2b..4cfc72011 100644
--- a/roles/os_firewall/meta/main.yml
+++ b/roles/os_firewall/meta/main.yml
@@ -6,11 +6,11 @@ galaxy_info:
license: Apache License, Version 2.0
min_ansible_version: 1.7
platforms:
- - name: EL
- versions:
- - 7
+ - name: EL
+ versions:
+ - 7
categories:
- - system
+ - system
allow_duplicates: yes
dependencies:
-- { role: openshift_facts }
+ - role: openshift_facts
diff --git a/roles/os_firewall/tasks/firewall/firewalld.yml b/roles/os_firewall/tasks/firewall/firewalld.yml
index 5ddca1fc0..b6777c51f 100644
--- a/roles/os_firewall/tasks/firewall/firewalld.yml
+++ b/roles/os_firewall/tasks/firewall/firewalld.yml
@@ -2,87 +2,44 @@
- name: Install firewalld packages
action: "{{ ansible_pkg_mgr }} name=firewalld state=present"
when: not openshift.common.is_containerized | bool
- register: install_result
-
-- name: Check if iptables-services is installed
- command: rpm -q iptables-services
- register: pkg_check
- failed_when: pkg_check.rc > 1
- changed_when: no
- name: Ensure iptables services are not enabled
- service:
+ systemd:
name: "{{ item }}"
state: stopped
enabled: no
+ masked: yes
with_items:
- - iptables
- - ip6tables
- when: pkg_check.rc == 0
-
-- name: Reload systemd units
- command: systemctl daemon-reload
- when: install_result | changed
-
-- name: Determine if firewalld service masked
- command: >
- systemctl is-enabled firewalld
- register: os_firewall_firewalld_masked_output
- changed_when: false
- failed_when: false
-
-- name: Unmask firewalld service
- command: >
- systemctl unmask firewalld
- when: os_firewall_firewalld_masked_output.stdout == "masked"
+ - iptables
+ - ip6tables
+ register: task_result
+ failed_when: "task_result|failed and 'Could not find' not in task_result.msg"
- name: Start and enable firewalld service
- service:
+ systemd:
name: firewalld
state: started
enabled: yes
+ masked: no
+ daemon_reload: yes
register: result
- name: need to pause here, otherwise the firewalld service starting can sometimes cause ssh to fail
pause: seconds=10
when: result | changed
-- name: Mask iptables services
- command: systemctl mask "{{ item }}"
- register: result
- changed_when: "'iptables' in result.stdout"
- with_items:
- - iptables
- - ip6tables
- when: pkg_check.rc == 0
- ignore_errors: yes
-
-# TODO: Ansible 1.9 will eliminate the need for separate firewalld tasks for
-# enabling rules and making them permanent with the immediate flag
- name: Add firewalld allow rules
- firewalld:
- port: "{{ item.port }}"
- permanent: false
- state: enabled
- with_items: "{{ os_firewall_allow }}"
-
-- name: Persist firewalld allow rules
firewalld:
port: "{{ item.port }}"
permanent: true
+ immediate: true
state: enabled
with_items: "{{ os_firewall_allow }}"
- name: Remove firewalld allow rules
- firewalld:
- port: "{{ item.port }}"
- permanent: false
- state: disabled
- with_items: "{{ os_firewall_deny }}"
-
-- name: Persist removal of firewalld allow rules
firewalld:
port: "{{ item.port }}"
permanent: true
+ immediate: true
state: disabled
with_items: "{{ os_firewall_deny }}"
diff --git a/roles/os_firewall/tasks/firewall/iptables.yml b/roles/os_firewall/tasks/firewall/iptables.yml
index 470d4f4f9..4c587495e 100644
--- a/roles/os_firewall/tasks/firewall/iptables.yml
+++ b/roles/os_firewall/tasks/firewall/iptables.yml
@@ -1,64 +1,28 @@
---
-- name: Check if firewalld is installed
- command: rpm -q firewalld
- args:
- # Disables the following warning:
- # Consider using yum, dnf or zypper module rather than running rpm
- warn: no
- register: pkg_check
- failed_when: pkg_check.rc > 1
- changed_when: no
- name: Ensure firewalld service is not enabled
- service:
+ systemd:
name: firewalld
state: stopped
enabled: no
- when: pkg_check.rc == 0
-
-# TODO: submit PR upstream to add mask/unmask to service module
-- name: Mask firewalld service
- command: systemctl mask firewalld
- register: result
- changed_when: "'firewalld' in result.stdout"
- when: pkg_check.rc == 0
- ignore_errors: yes
+ masked: yes
+ register: task_result
+ failed_when: "task_result|failed and 'Could not find' not in task_result.msg"
- name: Install iptables packages
action: "{{ ansible_pkg_mgr }} name={{ item }} state=present"
with_items:
- - iptables
- - iptables-services
- register: install_result
+ - iptables
+ - iptables-services
when: not openshift.common.is_atomic | bool
-- name: Reload systemd units
- command: systemctl daemon-reload
- when: install_result | changed
-
-- name: Determine if iptables service masked
- command: >
- systemctl is-enabled {{ item }}
- with_items:
- - iptables
- - ip6tables
- register: os_firewall_iptables_masked_output
- changed_when: false
- failed_when: false
-
-- name: Unmask iptables service
- command: >
- systemctl unmask {{ item }}
- with_items:
- - iptables
- - ip6tables
- when: "'masked' in os_firewall_iptables_masked_output.results | map(attribute='stdout')"
-
- name: Start and enable iptables service
- service:
+ systemd:
name: iptables
state: started
enabled: yes
+ masked: no
+ daemon_reload: yes
register: result
- name: need to pause here, otherwise the iptables service starting can sometimes cause ssh to fail
--
cgit v1.2.3