ceph-ansible/roles/ceph-common/tasks/checks/check_firewall.yml

---
- name: check if nmap is installed
  local_action:
    module: command
      command -v nmap
  changed_when: false
  failed_when: false
  register: nmapexist
  run_once: true
  check_mode: no

- name: inform that nmap is not present
  debug:
      msg: "nmap is not installed, can not test if ceph ports are allowed :("
  run_once: true
  when:
    - nmapexist.rc != 0

- name: check if monitor port is not filtered
  local_action:
    module: shell
      set -o pipefail && nmap -p 6789 {{ hostvars[inventory_hostname]['ansible_' + monitor_interface]['ipv4']['address'] if hostvars[inventory_hostname]['ansible_' + monitor_interface] is defined else hostvars[inventory_hostname]['monitor_address'] }} | grep -sqo -e filtered -e '0 hosts up'
  changed_when: false
  failed_when: false
  register: monportstate
  check_mode: no
  when:
    - mon_group_name in group_names
    - nmapexist.rc == 0

- name: fail if monitor port is filtered
  fail:
      msg: "Please allow port 6789 on your firewall"
  when:
    - mon_group_name in group_names
    - nmapexist.rc == 0
    - monportstate.rc == 0

- name: check if osd and mds range is not filtered (osd hosts)
  local_action:
    module: shell
      set -o pipefail && nmap -p 6800-7300 {{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }} | grep -sqo -e filtered -e '0 hosts up'
  changed_when: false
  failed_when: false
  register: osdrangestate
  check_mode: no
  when:
    - osd_group_name in group_names
    - nmapexist.rc == 0

- name: fail if osd and mds range is filtered (osd hosts)
  fail:
      msg: "Please allow range from 6800 to 7300 on your firewall"
  when:
    - osd_group_name in group_names
    - nmapexist.rc == 0
    - osdrangestate.rc == 0

- name: check if osd and mds range is not filtered (mds hosts)
  local_action:
    module: shell
      set -o pipefail && nmap -p 6800-7300 {{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }} | grep -sqo -e filtered -e '0 hosts up'
  changed_when: false
  failed_when: false
  register: mdsrangestate
  check_mode: no
  when:
    - mds_group_name in group_names
    - nmapexist.rc == 0

- name: fail if osd and mds range is filtered (mds hosts)
  fail:
      msg: "Please allow range from 6800 to 7300 on your firewall"
  when:
    - mds_group_name in group_names
    - nmapexist.rc == 0
    - mdsrangestate.rc == 0

- name: check if rados gateway port is not filtered
  local_action:
    module: shell
      set -o pipefail && nmap -p {{ radosgw_civetweb_port }} {{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }} | grep -sqo -e filtered -e '0 hosts up'
  changed_when: false
  failed_when: false
  register: rgwportstate
  check_mode: no
  when:
    - rgw_group_name in group_names
    - nmapexist.rc == 0

- name: fail if rados gateway port is filtered
  fail:
      msg: "Please allow port {{ radosgw_civetweb_port }} on your firewall"
  when:
    - rgw_group_name in group_names
    - nmapexist.rc == 0
    - rgwportstate.rc == 0

- name: check if NFS ports are not filtered
  local_action:
    module: shell
      set -o pipefail && nmap -p 111,2049 {{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }} | grep -sqo -e filtered -e '0 hosts up'
  changed_when: false
  failed_when: false
  register: nfsportstate
  check_mode: no
  when:
    - nfs_group_name in group_names
    - nmapexist.rc == 0

- name: fail if NFS ports are filtered
  fail:
      msg: "Please allow ports 111 and 2049 on your firewall"
  when:
    - nfs_group_name in group_names
    - nmapexist.rc == 0
    - nfsportstate.rc == 0