From c3a2320e012b9884afd05a52aaabe2ebd71d0aea Mon Sep 17 00:00:00 2001 From: Guillaume Abrioux Date: Fri, 30 Nov 2018 17:12:21 +0100 Subject: [PATCH] revert infra: don't restart firewalld if unit is masked If firewalld unit is masked, setting `configure_firewall: false` is enough Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1655059 Signed-off-by: Guillaume Abrioux (cherry picked from commit 1cff1f98065bf3b4056810a15998411f7300b58a) --- roles/ceph-defaults/tasks/facts.yml | 3 - roles/ceph-infra/handlers/main.yml | 5 +- roles/ceph-infra/tasks/configure_firewall.yml | 329 ++++++++---------- 3 files changed, 155 insertions(+), 182 deletions(-) diff --git a/roles/ceph-defaults/tasks/facts.yml b/roles/ceph-defaults/tasks/facts.yml index 4a3f6cf4c..0eb1d3a2c 100644 --- a/roles/ceph-defaults/tasks/facts.yml +++ b/roles/ceph-defaults/tasks/facts.yml @@ -247,6 +247,3 @@ - name: set_fact osd_pool_default_size set_fact: osd_pool_default_size: "{{ ceph_conf_overrides.get('global', {}).get('osd_pool_default_size', ceph_osd_pool_default_size) }}" - -- name: populate service facts - service_facts: diff --git a/roles/ceph-infra/handlers/main.yml b/roles/ceph-infra/handlers/main.yml index dc97de47b..49fb8e843 100644 --- a/roles/ceph-infra/handlers/main.yml +++ b/roles/ceph-infra/handlers/main.yml @@ -3,7 +3,4 @@ service: name: firewalld state: restarted - enabled: yes - when: - - ansible_facts['services']['firewalld.service'] is defined - - ansible_facts['services']['firewalld.service']['state'] != 'masked' \ No newline at end of file + enabled: yes \ No newline at end of file diff --git a/roles/ceph-infra/tasks/configure_firewall.yml b/roles/ceph-infra/tasks/configure_firewall.yml index e316c7f63..aed0e2617 100644 --- a/roles/ceph-infra/tasks/configure_firewall.yml +++ b/roles/ceph-infra/tasks/configure_firewall.yml @@ -12,192 +12,171 @@ when: - not containerized_deployment -- name: start firewalld - service: - name: firewalld - state: started - enabled: yes - when: - - firewalld_pkg_query.get('rc', 1) == 0 - or is_atomic +- block: + - name: start firewalld + service: + name: firewalld + state: started + enabled: yes -- name: open monitor ports - firewalld: - service: ceph-mon - zone: "{{ ceph_mon_firewall_zone }}" - source: "{{ public_network }}" - permanent: true - immediate: true - state: enabled - notify: restart firewalld - when: - - mon_group_name is defined - - mon_group_name in group_names - - (firewalld_pkg_query.get('rc', 1) == 0 or is_atomic) - tags: - - firewall + - name: open monitor and manager ports + firewalld: + service: "{{ item.service }}" + zone: "{{ item.zone }}" + source: "{{ public_network }}" + permanent: true + immediate: true + state: enabled + notify: restart firewalld + with_items: + - { 'service': 'ceph-mon', 'zone': "{{ ceph_mon_firewall_zone }}" } + - { 'service': 'ceph', 'zone': "{{ ceph_mgr_firewall_zone }}" } + when: + - mon_group_name is defined + - mon_group_name in group_names + tags: + - firewall -- name: open manager ports - firewalld: - service: ceph - zone: "{{ ceph_mgr_firewall_zone }}" - source: "{{ public_network }}" - permanent: true - immediate: true - state: enabled - notify: restart firewalld - when: - - mgr_group_name is defined - - mgr_group_name in group_names - - (firewalld_pkg_query.get('rc', 1) == 0 or is_atomic) - tags: - - firewall + - name: open manager ports + firewalld: + service: ceph + zone: "{{ ceph_mgr_firewall_zone }}" + source: "{{ public_network }}" + permanent: true + immediate: true + state: enabled + notify: restart firewalld + when: + - mgr_group_name is defined + - mgr_group_name in group_names + tags: + - firewall -- name: open osd ports - firewalld: - service: ceph - zone: "{{ ceph_osd_firewall_zone }}" - source: "{{ item }}" - permanent: true - immediate: true - state: enabled - with_items: - - "{{ public_network }}" - - "{{ cluster_network }}" - notify: restart firewalld - when: - - osd_group_name is defined - - osd_group_name in group_names - - (firewalld_pkg_query.get('rc', 1) == 0 or is_atomic) - tags: - - firewall + - name: open osd ports + firewalld: + service: ceph + zone: "{{ ceph_osd_firewall_zone }}" + source: "{{ item }}" + permanent: true + immediate: true + state: enabled + with_items: + - "{{ public_network }}" + - "{{ cluster_network }}" + notify: restart firewalld + when: + - osd_group_name is defined + - osd_group_name in group_names + tags: + - firewall -- name: open rgw ports - firewalld: - port: "{{ radosgw_frontend_port }}/tcp" - zone: "{{ ceph_rgw_firewall_zone }}" - source: "{{ public_network }}" - permanent: true - immediate: true - state: enabled - notify: restart firewalld - when: - - rgw_group_name is defined - - rgw_group_name in group_names - - (firewalld_pkg_query.get('rc', 1) == 0 or is_atomic) - tags: - - firewall + - name: open rgw ports + firewalld: + port: "{{ radosgw_frontend_port }}/tcp" + zone: "{{ ceph_rgw_firewall_zone }}" + source: "{{ public_network }}" + permanent: true + immediate: true + state: enabled + notify: restart firewalld + when: + - rgw_group_name is defined + - rgw_group_name in group_names + tags: + - firewall -- name: open mds ports - firewalld: - service: ceph - zone: "{{ ceph_mds_firewall_zone }}" - source: "{{ public_network }}" - permanent: true - immediate: true - state: enabled - notify: restart firewalld - when: - - mds_group_name is defined - - mds_group_name in group_names - - (firewalld_pkg_query.get('rc', 1) == 0 or is_atomic) - tags: - - firewall + - name: open mds ports + firewalld: + service: ceph + zone: "{{ ceph_mds_firewall_zone }}" + source: "{{ public_network }}" + permanent: true + immediate: true + state: enabled + notify: restart firewalld + when: + - mds_group_name is defined + - mds_group_name in group_names + tags: + - firewall -- name: open nfs ports - firewalld: - service: nfs - zone: "{{ ceph_nfs_firewall_zone }}" - source: "{{ public_network }}" - permanent: true - immediate: true - state: enabled - notify: restart firewalld - when: - - nfs_group_name is defined - - nfs_group_name in group_names - - (firewalld_pkg_query.get('rc', 1) == 0 or is_atomic) - tags: - - firewall + - name: open nfs ports + firewalld: + service: nfs + zone: "{{ ceph_nfs_firewall_zone }}" + source: "{{ public_network }}" + permanent: true + immediate: true + state: enabled + notify: restart firewalld + when: + - nfs_group_name is defined + - nfs_group_name in group_names + tags: + - firewall -- name: open nfs ports (portmapper) - firewalld: - port: "111/tcp" - zone: "{{ ceph_nfs_firewall_zone }}" - source: "{{ public_network }}" - permanent: true - immediate: true - state: enabled - notify: restart firewalld - when: - - nfs_group_name is defined - - nfs_group_name in group_names - - (firewalld_pkg_query.get('rc', 1) == 0 or is_atomic) - tags: - - firewall + - name: open nfs ports (portmapper) + firewalld: + port: "111/tcp" + zone: "{{ ceph_nfs_firewall_zone }}" + source: "{{ public_network }}" + permanent: true + immediate: true + state: enabled + notify: restart firewalld + when: + - nfs_group_name is defined + - nfs_group_name in group_names + tags: + - firewall -- name: open restapi ports - firewalld: - port: "{{ restapi_port }}/tcp" - zone: "{{ ceph_restapi_firewall_zone }}" - source: "{{ public_network }}" - permanent: true - immediate: true - state: enabled - notify: restart firewalld - when: - - restapi_group_name is defined - - restapi_group_name in group_names - - (firewalld_pkg_query.get('rc', 1) == 0 or is_atomic) - tags: - - firewall + - name: open rbdmirror ports + firewalld: + service: ceph + zone: "{{ ceph_rbdmirror_firewall_zone }}" + source: "{{ public_network }}" + permanent: true + immediate: true + state: enabled + notify: restart firewalld + when: + - rbdmirror_group_name is defined + - rbdmirror_group_name in group_names + tags: + - firewall -- name: open rbdmirror ports - firewalld: - service: ceph - zone: "{{ ceph_rbdmirror_firewall_zone }}" - source: "{{ public_network }}" - permanent: true - immediate: true - state: enabled - notify: restart firewalld - when: - - rbdmirror_group_name is defined - - rbdmirror_group_name in group_names - - (firewalld_pkg_query.get('rc', 1) == 0 or is_atomic) - tags: - - firewall + - name: open iscsi target ports + firewalld: + port: "3260/tcp" + zone: "{{ ceph_iscsi_firewall_zone }}" + source: "{{ public_network }}" + permanent: true + immediate: true + state: enabled + notify: restart firewalld + when: + - iscsi_gw_group_name is defined + - iscsi_gw_group_name in group_names + tags: + - firewall -- name: open iscsi target ports - firewalld: - port: "3260/tcp" - zone: "{{ ceph_iscsi_firewall_zone }}" - source: "{{ public_network }}" - permanent: true - immediate: true - state: enabled - notify: restart firewalld - when: - - iscsi_gw_group_name is defined - - iscsi_gw_group_name in group_names - - (firewalld_pkg_query.get('rc', 1) == 0 or is_atomic) - tags: - - firewall + - name: open iscsi api ports + firewalld: + port: "{{ api_port | default(5000) }}/tcp" + zone: "{{ ceph_iscsi_firewall_zone }}" + source: "{{ public_network }}" + permanent: true + immediate: true + state: enabled + notify: restart firewalld + when: + - iscsi_gw_group_name is defined + - iscsi_gw_group_name in group_names + tags: + - firewall -- name: open iscsi api ports - firewalld: - port: "{{ api_port | default(5000) }}/tcp" - zone: "{{ ceph_iscsi_firewall_zone }}" - source: "{{ public_network }}" - permanent: true - immediate: true - state: enabled - notify: restart firewalld when: - - iscsi_gw_group_name is defined - - iscsi_gw_group_name in group_names - - (firewalld_pkg_query.get('rc', 1) == 0 or is_atomic) - tags: - - firewall + - (firewalld_pkg_query.get('rc', 1) == 0 + or is_atomic) - meta: flush_handlers