ceph-ansible/roles/ceph-common/tasks/misc/configure_firewall_rpm.yml

173 lines
4.1 KiB
YAML

---
- name: check firewalld installation on redhat or suse
command: rpm -q firewalld
args:
warn: no
register: firewalld_pkg_query
ignore_errors: true
check_mode: no
changed_when: false
tags:
- firewall
- name: start firewalld
service:
name: firewalld
state: started
enabled: yes
when:
- firewalld_pkg_query.rc == 0
- name: open monitor ports
firewalld:
service: ceph-mon
zone: "{{ ceph_mon_firewall_zone }}"
permanent: true
immediate: false # if true then fails in case firewalld is stopped
state: enabled
notify: restart firewalld
when:
- mon_group_name is defined
- mon_group_name in group_names
- firewalld_pkg_query.rc == 0
tags:
- firewall
- name: open manager ports
firewalld:
service: ceph
zone: "{{ ceph_mgr_firewall_zone }}"
permanent: true
immediate: false # if true then fails in case firewalld is stopped
state: enabled
notify: restart firewalld
when:
- ceph_release_num[ceph_release] >= ceph_release_num.luminous
- mgr_group_name is defined
- mgr_group_name in group_names
- firewalld_pkg_query.rc == 0
tags:
- firewall
- name: open osd ports
firewalld:
service: ceph
zone: "{{ ceph_osd_firewall_zone }}"
permanent: true
immediate: false # if true then fails in case firewalld is stopped
state: enabled
notify: restart firewalld
when:
- osd_group_name is defined
- osd_group_name in group_names
- firewalld_pkg_query.rc == 0
tags:
- firewall
- name: open rgw ports
firewalld:
port: "{{ radosgw_civetweb_port }}/tcp"
zone: "{{ ceph_rgw_firewall_zone }}"
permanent: true
immediate: false # if true then fails in case firewalld is stopped
state: enabled
notify: restart firewalld
when:
- rgw_group_name is defined
- rgw_group_name in group_names
- firewalld_pkg_query.rc == 0
tags:
- firewall
- name: open mds ports
firewalld:
service: ceph
zone: "{{ ceph_mds_firewall_zone }}"
permanent: true
immediate: false # if true then fails in case firewalld is stopped
state: enabled
notify: restart firewalld
when:
- mds_group_name is defined
- mds_group_name in group_names
- firewalld_pkg_query.rc == 0
tags:
- firewall
- name: open nfs ports
firewalld:
service: nfs
zone: "{{ ceph_nfs_firewall_zone }}"
permanent: true
immediate: false # if true then fails in case firewalld is stopped
state: enabled
notify: restart firewalld
when:
- nfs_group_name is defined
- nfs_group_name in group_names
- firewalld_pkg_query.rc == 0
tags:
- firewall
- name: open nfs ports (portmapper)
firewalld:
port: "111/tcp"
zone: "{{ ceph_nfs_firewall_zone }}"
permanent: true
immediate: false # if true then fails in case firewalld is stopped
state: enabled
notify: restart firewalld
when:
- nfs_group_name is defined
- nfs_group_name in group_names
- firewalld_pkg_query.rc == 0
tags:
- firewall
- name: open restapi ports
firewalld:
port: "{{ restapi_port }}/tcp"
zone: "{{ ceph_restapi_firewall_zone }}"
permanent: true
immediate: false # if true then fails in case firewalld is stopped
state: enabled
notify: restart firewalld
when:
- restapi_group_name is defined
- restapi_group_name in group_names
- firewalld_pkg_query.rc == 0
tags:
- firewall
- name: open rbdmirror ports
firewalld:
service: ceph
zone: "{{ ceph_rbdmirror_firewall_zone }}"
permanent: true
immediate: false # if true then fails in case firewalld is stopped
state: enabled
notify: restart firewalld
when:
- rbdmirror_group_name is defined
- rbdmirror_group_name in group_names
- firewalld_pkg_query.rc == 0
tags:
- firewall
- name: open iscsi ports
firewalld:
port: "5001/tcp"
zone: "{{ ceph_iscsi_firewall_zone }}"
permanent: true
immediate: false # if true then fails in case firewalld is stopped
state: enabled
notify: restart firewalld
when:
- iscsi_group_name is defined
- iscsi_group_name in group_names
- firewalld_pkg_query.rc == 0
tags:
- firewall
- meta: flush_handlers