firewall: configure firewalld if it's already installed on the host (#2192).

Signed-off-by: Eduard Egorov <eduard.egorov@icl-services.com>

group_vars/all.yml.sample

@@ -60,6 +60,11 @@ dummy:
 # want to set this to False to skip those checks.
 #check_firewall: False
 
+# Note: this task will only configure pre-installed firewall
+#configure_firewall: False
+#ceph_mon_firewall_zone: dmz
+#ceph_osd_firewall_zone: dmz
+#ceph_rgw_firewall_zone: dmz
 
 ############
 # PACKAGES #

group_vars/rhcs.yml.sample

@@ -60,6 +60,11 @@ fetch_directory: ~/ceph-ansible-keys
 # want to set this to False to skip those checks.
 #check_firewall: False
 
+# Note: this task will only configure pre-installed firewall
+#configure_firewall: False
+#ceph_mon_firewall_zone: dmz
+#ceph_osd_firewall_zone: dmz
+#ceph_rgw_firewall_zone: dmz
 
 ############
 # PACKAGES #

roles/ceph-common/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: restart firewalld
+  service:
+    name: firewalld
+    state: restarted
+    enabled: yes

roles/ceph-common/tasks/main.yml

@@ -12,6 +12,13 @@
   # Hard code this so we will skip the entire file instead of individual tasks (Default isn't Consistent)
   static: False
 
+- name: include misc/configure_firewall.yml
+  include: misc/configure_firewall.yml
+  when:
+    - configure_firewall
+  # Hard code this so we will skip the entire file instead of individual tasks (Default isn't Consistent)
+  static: False
+
 - name: include misc/system_tuning.yml
   include: misc/system_tuning.yml
   when:

roles/ceph-common/tasks/misc/configure_firewall.yml

@@ -0,0 +1,57 @@
+---
+- name: check firewalld installation on redhat
+  command: rpm -q firewalld
+  register: firewalld
+  ignore_errors: true
+  always_run: true
+  changed_when: false
+  when: ansible_os_family == 'RedHat'
+  tags:
+    - firewall
+
+- name: open monitor ports
+  firewalld:
+    service: ceph-mon
+    zone: "{{ ceph_mon_firewall_zone }}"
+    permanent: true
+    immediate: false # if true then fails in case firewalld is stopped
+    state: enabled
+  notify: restart firewalld
+  when:
+    - mon_group_name is defined
+    - mon_group_name in group_names
+    - firewalld.rc == 0
+  tags:
+    - firewall
+
+- name: open osd ports
+  firewalld:
+    service: ceph
+    zone: "{{ ceph_osd_firewall_zone }}"
+    permanent: true
+    immediate: false # if true then fails in case firewalld is stopped
+    state: enabled
+  notify: restart firewalld
+  when:
+    - osd_group_name is defined
+    - osd_group_name in group_names
+    - firewalld.rc == 0
+  tags:
+    - firewall
+
+- name: open rgw ports
+  firewalld:
+    port: "{{ radosgw_civetweb_port }}/tcp"
+    zone: "{{ ceph_rgw_firewall_zone }}"
+    permanent: true
+    immediate: false # if true then fails in case firewalld is stopped
+    state: enabled
+  notify: restart firewalld
+  when:
+    - rgw_group_name is defined
+    - rgw_group_name in group_names
+    - firewalld.rc == 0
+  tags:
+    - firewall
+
+- meta: flush_handlers

roles/ceph-defaults/defaults/main.yml

@@ -52,6 +52,11 @@ mgr_group_name: mgrs
 # want to set this to False to skip those checks.
 check_firewall: False
 
+# Note: this task will only configure pre-installed firewall
+configure_firewall: False
+ceph_mon_firewall_zone: dmz
+ceph_osd_firewall_zone: dmz
+ceph_rgw_firewall_zone: dmz
 
 ############
 # PACKAGES #