--- - name: check firewalld installation on redhat or suse command: rpm -q firewalld args: warn: no register: firewalld_pkg_query ignore_errors: true check_mode: no changed_when: false tags: - firewall - name: open monitor ports firewalld: service: ceph-mon zone: "{{ ceph_mon_firewall_zone }}" permanent: true immediate: false # if true then fails in case firewalld is stopped state: enabled notify: restart firewalld when: - mon_group_name is defined - mon_group_name in group_names - firewalld_pkg_query.rc == 0 tags: - firewall - name: open manager ports firewalld: service: ceph zone: "{{ ceph_mgr_firewall_zone }}" permanent: true immediate: false # if true then fails in case firewalld is stopped state: enabled notify: restart firewalld when: - ceph_release_num[ceph_release] >= ceph_release_num.luminous - mgr_group_name is defined - mgr_group_name in group_names - firewalld_pkg_query.rc == 0 tags: - firewall - name: open osd ports firewalld: service: ceph zone: "{{ ceph_osd_firewall_zone }}" permanent: true immediate: false # if true then fails in case firewalld is stopped state: enabled notify: restart firewalld when: - osd_group_name is defined - osd_group_name in group_names - firewalld_pkg_query.rc == 0 tags: - firewall - name: open rgw ports firewalld: port: "{{ radosgw_civetweb_port }}/tcp" zone: "{{ ceph_rgw_firewall_zone }}" permanent: true immediate: false # if true then fails in case firewalld is stopped state: enabled notify: restart firewalld when: - rgw_group_name is defined - rgw_group_name in group_names - firewalld_pkg_query.rc == 0 tags: - firewall - name: open mds ports firewalld: service: ceph zone: "{{ ceph_mds_firewall_zone }}" permanent: true immediate: false # if true then fails in case firewalld is stopped state: enabled notify: restart firewalld when: - mds_group_name is defined - mds_group_name in group_names - firewalld_pkg_query.rc == 0 tags: - firewall - name: open nfs ports firewalld: service: nfs zone: "{{ ceph_nfs_firewall_zone }}" permanent: true immediate: false # if true then fails in case firewalld is stopped state: enabled notify: restart firewalld when: - nfs_group_name is defined - nfs_group_name in group_names - firewalld_pkg_query.rc == 0 tags: - firewall - name: open nfs ports (portmapper) firewalld: port: "111/tcp" zone: "{{ ceph_nfs_firewall_zone }}" permanent: true immediate: false # if true then fails in case firewalld is stopped state: enabled notify: restart firewalld when: - nfs_group_name is defined - nfs_group_name in group_names - firewalld_pkg_query.rc == 0 tags: - firewall - name: open restapi ports firewalld: port: "{{ restapi_port }}/tcp" zone: "{{ ceph_restapi_firewall_zone }}" permanent: true immediate: false # if true then fails in case firewalld is stopped state: enabled notify: restart firewalld when: - restapi_group_name is defined - restapi_group_name in group_names - firewalld_pkg_query.rc == 0 tags: - firewall - name: open rbdmirror ports firewalld: service: ceph zone: "{{ ceph_rbdmirror_firewall_zone }}" permanent: true immediate: false # if true then fails in case firewalld is stopped state: enabled notify: restart firewalld when: - rbdmirror_group_name is defined - rbdmirror_group_name in group_names - firewalld_pkg_query.rc == 0 tags: - firewall - name: open iscsi ports firewalld: port: "5001/tcp" zone: "{{ ceph_iscsi_firewall_zone }}" permanent: true immediate: false # if true then fails in case firewalld is stopped state: enabled notify: restart firewalld when: - iscsi_group_name is defined - iscsi_group_name in group_names - firewalld_pkg_query.rc == 0 tags: - firewall - meta: flush_handlers