firewall: configure firewalld if it's already installed on the host (#2192).

Signed-off-by: Eduard Egorov <eduard.egorov@icl-services.com>
pull/2257/head
Eduard Egorov 2017-11-17 12:32:48 +00:00 committed by Sébastien Han
parent 73a20e9b50
commit 6a5e0da30d
6 changed files with 85 additions and 0 deletions

View File

@ -60,6 +60,11 @@ dummy:
# want to set this to False to skip those checks.
#check_firewall: False
# Note: this task will only configure pre-installed firewall
#configure_firewall: False
#ceph_mon_firewall_zone: dmz
#ceph_osd_firewall_zone: dmz
#ceph_rgw_firewall_zone: dmz
############
# PACKAGES #

View File

@ -60,6 +60,11 @@ fetch_directory: ~/ceph-ansible-keys
# want to set this to False to skip those checks.
#check_firewall: False
# Note: this task will only configure pre-installed firewall
#configure_firewall: False
#ceph_mon_firewall_zone: dmz
#ceph_osd_firewall_zone: dmz
#ceph_rgw_firewall_zone: dmz
############
# PACKAGES #

View File

@ -0,0 +1,6 @@
---
- name: restart firewalld
service:
name: firewalld
state: restarted
enabled: yes

View File

@ -12,6 +12,13 @@
# Hard code this so we will skip the entire file instead of individual tasks (Default isn't Consistent)
static: False
- name: include misc/configure_firewall.yml
include: misc/configure_firewall.yml
when:
- configure_firewall
# Hard code this so we will skip the entire file instead of individual tasks (Default isn't Consistent)
static: False
- name: include misc/system_tuning.yml
include: misc/system_tuning.yml
when:

View File

@ -0,0 +1,57 @@
---
- name: check firewalld installation on redhat
command: rpm -q firewalld
register: firewalld
ignore_errors: true
always_run: true
changed_when: false
when: ansible_os_family == 'RedHat'
tags:
- firewall
- name: open monitor ports
firewalld:
service: ceph-mon
zone: "{{ ceph_mon_firewall_zone }}"
permanent: true
immediate: false # if true then fails in case firewalld is stopped
state: enabled
notify: restart firewalld
when:
- mon_group_name is defined
- mon_group_name in group_names
- firewalld.rc == 0
tags:
- firewall
- name: open osd ports
firewalld:
service: ceph
zone: "{{ ceph_osd_firewall_zone }}"
permanent: true
immediate: false # if true then fails in case firewalld is stopped
state: enabled
notify: restart firewalld
when:
- osd_group_name is defined
- osd_group_name in group_names
- firewalld.rc == 0
tags:
- firewall
- name: open rgw ports
firewalld:
port: "{{ radosgw_civetweb_port }}/tcp"
zone: "{{ ceph_rgw_firewall_zone }}"
permanent: true
immediate: false # if true then fails in case firewalld is stopped
state: enabled
notify: restart firewalld
when:
- rgw_group_name is defined
- rgw_group_name in group_names
- firewalld.rc == 0
tags:
- firewall
- meta: flush_handlers

View File

@ -52,6 +52,11 @@ mgr_group_name: mgrs
# want to set this to False to skip those checks.
check_firewall: False
# Note: this task will only configure pre-installed firewall
configure_firewall: False
ceph_mon_firewall_zone: dmz
ceph_osd_firewall_zone: dmz
ceph_rgw_firewall_zone: dmz
############
# PACKAGES #