From 7d50ffe98dfa17e3fb72627699c794843ed5295d Mon Sep 17 00:00:00 2001
From: Kenny Woodson <kwoodson@redhat.com>
Date: Thu, 10 Aug 2017 21:13:54 -0400
Subject: Updated README to reflect refactor. Moved firewall initialize into
separate file.
---
playbooks/common/openshift-cluster/config.yml | 15 ---------
.../openshift-cluster/initialize_firewall.yml | 7 ++++
playbooks/common/openshift-cluster/std_include.yml | 4 +++
roles/cockpit/defaults/main.yml | 3 ++
roles/cockpit/tasks/firewall.yml | 4 +--
roles/etcd/defaults/main.yaml | 3 ++
roles/etcd/tasks/firewall.yml | 4 +--
roles/nuage_master/defaults/main.yml | 3 ++
roles/nuage_master/tasks/firewall.yml | 4 +--
roles/nuage_node/defaults/main.yml | 3 ++
roles/nuage_node/tasks/firewall.yml | 4 +--
roles/openshift_hosted/defaults/main.yml | 6 ++++
roles/openshift_hosted/tasks/registry/firewall.yml | 4 +--
roles/openshift_hosted/tasks/router/firewall.yml | 4 +--
roles/openshift_loadbalancer/defaults/main.yml | 3 ++
roles/openshift_loadbalancer/tasks/firewall.yml | 4 +--
roles/openshift_master/defaults/main.yml | 3 ++
roles/openshift_master/tasks/firewall.yml | 4 +--
roles/openshift_node/defaults/main.yml | 2 ++
roles/openshift_node/tasks/firewall.yml | 4 +--
roles/openshift_storage_nfs/defaults/main.yml | 3 ++
roles/openshift_storage_nfs/tasks/firewall.yml | 4 +--
roles/os_firewall/README.md | 37 ++++++++--------------
roles/os_firewall/defaults/main.yml | 2 --
24 files changed, 74 insertions(+), 60 deletions(-)
create mode 100644 playbooks/common/openshift-cluster/initialize_firewall.yml
diff --git a/playbooks/common/openshift-cluster/config.yml b/playbooks/common/openshift-cluster/config.yml
index 423573540..7136f1c1f 100644
--- a/playbooks/common/openshift-cluster/config.yml
+++ b/playbooks/common/openshift-cluster/config.yml
@@ -26,21 +26,6 @@
tags:
- always
-- name: Setup firewall
- hosts: oo_all_hosts
- tags:
- - always
- tasks:
- # This should move to intialize_facts
- - name: set os_firewall_enabled
- set_fact:
- os_firewall_enabled: true
- os_firewall_use_firewalld: false
-
- - name: Set proper firewall settings
- include_role:
- name: os_firewall
-
- name: Disable excluders
hosts: oo_masters_to_config:oo_nodes_to_config
tags:
diff --git a/playbooks/common/openshift-cluster/initialize_firewall.yml b/playbooks/common/openshift-cluster/initialize_firewall.yml
new file mode 100644
index 000000000..7d7a427d4
--- /dev/null
+++ b/playbooks/common/openshift-cluster/initialize_firewall.yml
@@ -0,0 +1,7 @@
+---
+- name: Initialize host facts
+ hosts: oo_all_hosts
+ tasks:
+ - name: install and configure the proper firewall settings
+ include_role:
+ name: os_firewall
diff --git a/playbooks/common/openshift-cluster/std_include.yml b/playbooks/common/openshift-cluster/std_include.yml
index 6ed31a644..eab16aba0 100644
--- a/playbooks/common/openshift-cluster/std_include.yml
+++ b/playbooks/common/openshift-cluster/std_include.yml
@@ -14,3 +14,7 @@
- include: initialize_openshift_version.yml
tags:
- always
+
+- include: initialize_firewall.yml
+ tags:
+ - always
diff --git a/roles/cockpit/defaults/main.yml b/roles/cockpit/defaults/main.yml
index 97b00db04..cbe5bb92b 100644
--- a/roles/cockpit/defaults/main.yml
+++ b/roles/cockpit/defaults/main.yml
@@ -1,4 +1,7 @@
---
+r_cockpit_firewall_enabled: True
+r_cockpit_use_firewalld: False
+
r_cockpit_os_firewall_deny: []
r_cockpit_os_firewall_allow:
- service: cockpit-ws
diff --git a/roles/cockpit/tasks/firewall.yml b/roles/cockpit/tasks/firewall.yml
index 0e253a9f5..e597ac84d 100644
--- a/roles/cockpit/tasks/firewall.yml
+++ b/roles/cockpit/tasks/firewall.yml
@@ -1,5 +1,5 @@
---
-- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool
+- when: r_cockpit_firewall_enabled | bool and not r_cockpit_use_firewalld | bool
block:
- name: Add iptables allow rules
os_firewall_manage_iptables:
@@ -19,7 +19,7 @@
when: item.cond | default(True)
with_items: "{{ r_cockpit_os_firewall_deny }}"
-- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
+- when: r_cockpit_firewall_enabled | bool and r_cockpit_use_firewalld | bool
block:
- name: Add firewalld allow rules
firewalld:
diff --git a/roles/etcd/defaults/main.yaml b/roles/etcd/defaults/main.yaml
index c14137d4e..d12d7a358 100644
--- a/roles/etcd/defaults/main.yaml
+++ b/roles/etcd/defaults/main.yaml
@@ -1,4 +1,7 @@
---
+r_etcd_firewall_enabled: True
+r_etcd_use_firewalld: False
+
etcd_initial_cluster_state: new
etcd_initial_cluster_token: etcd-cluster-1
diff --git a/roles/etcd/tasks/firewall.yml b/roles/etcd/tasks/firewall.yml
index fcfdf5227..4d0f6290a 100644
--- a/roles/etcd/tasks/firewall.yml
+++ b/roles/etcd/tasks/firewall.yml
@@ -1,5 +1,5 @@
---
-- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool
+- when: r_etcd_firewall_enabled | bool and not r_etcd_use_firewalld | bool
block:
- name: Add iptables allow rules
os_firewall_manage_iptables:
@@ -19,7 +19,7 @@
when: item.cond | default(True)
with_items: "{{ r_etcd_os_firewall_deny }}"
-- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
+- when: r_etcd_firewall_enabled | bool and r_etcd_use_firewalld | bool
block:
- name: Add firewalld allow rules
firewalld:
diff --git a/roles/nuage_master/defaults/main.yml b/roles/nuage_master/defaults/main.yml
index 2aed521da..ffab25775 100644
--- a/roles/nuage_master/defaults/main.yml
+++ b/roles/nuage_master/defaults/main.yml
@@ -1,4 +1,7 @@
---
+r_nuage_master_firewall_enabled: True
+r_nuage_master_use_firewalld: False
+
nuage_mon_rest_server_port: '9443'
r_nuage_master_os_firewall_deny: []
diff --git a/roles/nuage_master/tasks/firewall.yml b/roles/nuage_master/tasks/firewall.yml
index b4da2ac83..0057dc9ab 100644
--- a/roles/nuage_master/tasks/firewall.yml
+++ b/roles/nuage_master/tasks/firewall.yml
@@ -1,5 +1,5 @@
---
-- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool
+- when: r_nuage_master_firewall_enabled | bool and not r_nuage_master_use_firewalld | bool
block:
- name: Add iptables allow rules
os_firewall_manage_iptables:
@@ -19,7 +19,7 @@
when: item.cond | default(True)
with_items: "{{ r_nuage_master_os_firewall_deny }}"
-- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
+- when: r_nuage_master_firewall_enabled | bool and r_nuage_master_use_firewalld | bool
block:
- name: Add firewalld allow rules
firewalld:
diff --git a/roles/nuage_node/defaults/main.yml b/roles/nuage_node/defaults/main.yml
index 7a71273e7..b3d2e3cec 100644
--- a/roles/nuage_node/defaults/main.yml
+++ b/roles/nuage_node/defaults/main.yml
@@ -1,4 +1,7 @@
---
+r_nuage_node_firewall_enabled: True
+r_nuage_node_use_firewalld: False
+
nuage_mon_rest_server_port: '9443'
r_nuage_node_os_firewall_deny: []
diff --git a/roles/nuage_node/tasks/firewall.yml b/roles/nuage_node/tasks/firewall.yml
index 008f3a95b..baf600d57 100644
--- a/roles/nuage_node/tasks/firewall.yml
+++ b/roles/nuage_node/tasks/firewall.yml
@@ -1,5 +1,5 @@
---
-- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool
+- when: r_nuage_node_firewall_enabled | bool and not r_nuage_node_use_firewalld | bool
block:
- name: Add iptables allow rules
os_firewall_manage_iptables:
@@ -19,7 +19,7 @@
when: item.cond | default(True)
with_items: "{{ r_nuage_node_os_firewall_deny }}"
-- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
+- when: r_nuage_node_firewall_enabled | bool and r_nuage_node_use_firewalld | bool
block:
- name: Add firewalld allow rules
firewalld:
diff --git a/roles/openshift_hosted/defaults/main.yml b/roles/openshift_hosted/defaults/main.yml
index f1fd0f4b7..13cbfb14e 100644
--- a/roles/openshift_hosted/defaults/main.yml
+++ b/roles/openshift_hosted/defaults/main.yml
@@ -1,4 +1,10 @@
---
+r_openshift_hosted_router_firewall_enabled: True
+r_openshift_hosted_router_use_firewalld: False
+
+r_openshift_hosted_registry_firewall_enabled: True
+r_openshift_hosted_registry_use_firewalld: False
+
registry_volume_claim: 'registry-claim'
openshift_hosted_router_edits:
diff --git a/roles/openshift_hosted/tasks/registry/firewall.yml b/roles/openshift_hosted/tasks/registry/firewall.yml
index f48eb3b12..775b7d6d7 100644
--- a/roles/openshift_hosted/tasks/registry/firewall.yml
+++ b/roles/openshift_hosted/tasks/registry/firewall.yml
@@ -1,5 +1,5 @@
---
-- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool
+- when: r_openshift_hosted_registry_firewall_enabled | bool and not r_openshift_hosted_registry_use_firewalld | bool
block:
- name: Add iptables allow rules
os_firewall_manage_iptables:
@@ -19,7 +19,7 @@
when: item.cond | default(True)
with_items: "{{ r_openshift_hosted_registry_os_firewall_deny }}"
-- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
+- when: r_openshift_hosted_registry_firewall_enabled | bool and r_openshift_hosted_registry_use_firewalld | bool
block:
- name: Add firewalld allow rules
firewalld:
diff --git a/roles/openshift_hosted/tasks/router/firewall.yml b/roles/openshift_hosted/tasks/router/firewall.yml
index fd9a9c2e7..ff90f3372 100644
--- a/roles/openshift_hosted/tasks/router/firewall.yml
+++ b/roles/openshift_hosted/tasks/router/firewall.yml
@@ -1,5 +1,5 @@
---
-- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool
+- when: r_openshift_hosted_router_firewall_enabled | bool and not r_openshift_hosted_router_use_firewalld | bool
block:
- name: Add iptables allow rules
os_firewall_manage_iptables:
@@ -19,7 +19,7 @@
when: item.cond | default(True)
with_items: "{{ r_openshift_hosted_router_os_firewall_deny }}"
-- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
+- when: r_openshift_hosted_router_firewall_enabled | bool and r_openshift_hosted_router_use_firewalld | bool
block:
- name: Add firewalld allow rules
firewalld:
diff --git a/roles/openshift_loadbalancer/defaults/main.yml b/roles/openshift_loadbalancer/defaults/main.yml
index 35a14b1a5..3f6409233 100644
--- a/roles/openshift_loadbalancer/defaults/main.yml
+++ b/roles/openshift_loadbalancer/defaults/main.yml
@@ -1,4 +1,7 @@
---
+r_openshift_loadbalancer_firewall_enabled: True
+r_openshift_loadbalancer_use_firewalld: False
+
haproxy_frontends:
- name: main
binds:
diff --git a/roles/openshift_loadbalancer/tasks/firewall.yml b/roles/openshift_loadbalancer/tasks/firewall.yml
index def868134..7d6e8ff36 100644
--- a/roles/openshift_loadbalancer/tasks/firewall.yml
+++ b/roles/openshift_loadbalancer/tasks/firewall.yml
@@ -1,5 +1,5 @@
---
-- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool
+- when: r_openshift_loadbalancer_firewall_enabled | bool and not r_openshift_loadbalancer_use_firewalld | bool
block:
- name: Add iptables allow rules
os_firewall_manage_iptables:
@@ -19,7 +19,7 @@
when: item.cond | default(True)
with_items: "{{ r_openshift_loadbalancer_os_firewall_deny }}"
-- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
+- when: r_openshift_loadbalancer_firewall_enabled | bool and r_openshift_loadbalancer_use_firewalld | bool
block:
- name: Add firewalld allow rules
firewalld:
diff --git a/roles/openshift_master/defaults/main.yml b/roles/openshift_master/defaults/main.yml
index 0b35c180e..a4c178908 100644
--- a/roles/openshift_master/defaults/main.yml
+++ b/roles/openshift_master/defaults/main.yml
@@ -1,4 +1,7 @@
---
+r_openshift_master_firewall_enabled: True
+r_openshift_master_use_firewalld: False
+
openshift_node_ips: []
r_openshift_master_clean_install: false
r_openshift_master_etcd3_storage: false
diff --git a/roles/openshift_master/tasks/firewall.yml b/roles/openshift_master/tasks/firewall.yml
index 80a91fa2e..e51eeb56e 100644
--- a/roles/openshift_master/tasks/firewall.yml
+++ b/roles/openshift_master/tasks/firewall.yml
@@ -1,5 +1,5 @@
---
-- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool
+- when: r_openshift_master_firewall_enabled | bool and not r_openshift_master_use_firewalld | bool
block:
- name: Add iptables allow rules
os_firewall_manage_iptables:
@@ -19,7 +19,7 @@
when: item.cond | default(True)
with_items: "{{ r_openshift_master_os_firewall_deny }}"
-- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
+- when: r_openshift_master_firewall_enabled | bool and r_openshift_master_use_firewalld | bool
block:
- name: Add firewalld allow rules
firewalld:
diff --git a/roles/openshift_node/defaults/main.yml b/roles/openshift_node/defaults/main.yml
index 92237757c..973b3a619 100644
--- a/roles/openshift_node/defaults/main.yml
+++ b/roles/openshift_node/defaults/main.yml
@@ -1,4 +1,6 @@
---
+r_openshift_node_firewall_enabled: True
+r_openshift_node_use_firewalld: False
r_openshift_node_os_firewall_deny: []
r_openshift_node_os_firewall_allow:
- service: Kubernetes kubelet
diff --git a/roles/openshift_node/tasks/firewall.yml b/roles/openshift_node/tasks/firewall.yml
index 492dcee1d..255aa886a 100644
--- a/roles/openshift_node/tasks/firewall.yml
+++ b/roles/openshift_node/tasks/firewall.yml
@@ -1,5 +1,5 @@
---
-- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool
+- when: r_openshift_node_firewall_enabled | bool and not r_openshift_node_use_firewalld | bool
block:
- name: Add iptables allow rules
os_firewall_manage_iptables:
@@ -19,7 +19,7 @@
when: item.cond | default(True)
with_items: "{{ r_openshift_node_os_firewall_deny }}"
-- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
+- when: r_openshift_node_firewall_enabled | bool and r_openshift_node_use_firewalld | bool
block:
- name: Add firewalld allow rules
firewalld:
diff --git a/roles/openshift_storage_nfs/defaults/main.yml b/roles/openshift_storage_nfs/defaults/main.yml
index 1e9265b00..4a2bc6141 100644
--- a/roles/openshift_storage_nfs/defaults/main.yml
+++ b/roles/openshift_storage_nfs/defaults/main.yml
@@ -1,4 +1,7 @@
---
+r_openshift_storage_nfs_firewall_enabled: True
+r_openshift_storage_nfs_use_firewalld: False
+
r_openshift_storage_nfs_os_firewall_deny: []
r_openshift_storage_nfs_os_firewall_allow:
- service: nfs
diff --git a/roles/openshift_storage_nfs/tasks/firewall.yml b/roles/openshift_storage_nfs/tasks/firewall.yml
index 9bca80b40..c1c318ff4 100644
--- a/roles/openshift_storage_nfs/tasks/firewall.yml
+++ b/roles/openshift_storage_nfs/tasks/firewall.yml
@@ -1,5 +1,5 @@
---
-- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool
+- when: r_openshift_storage_nfs_firewall_enabled | bool and not r_openshift_storage_nfs_use_firewalld | bool
block:
- name: Add iptables allow rules
os_firewall_manage_iptables:
@@ -19,7 +19,7 @@
when: item.cond | default(True)
with_items: "{{ r_openshift_storage_nfs_os_firewall_deny }}"
-- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
+- when: r_openshift_storage_nfs_firewall_enabled | bool and r_openshift_storage_nfs_use_firewalld | bool
block:
- name: Add firewalld allow rules
firewalld:
diff --git a/roles/os_firewall/README.md b/roles/os_firewall/README.md
index e7ef544f4..be0b8291a 100644
--- a/roles/os_firewall/README.md
+++ b/roles/os_firewall/README.md
@@ -1,8 +1,8 @@
OS Firewall
===========
-OS Firewall manages firewalld and iptables firewall settings for a minimal use
-case (Adding/Removing rules based on protocol and port number).
+OS Firewall manages firewalld and iptables installation.
+case.
Note: firewalld is not supported on Atomic Host
https://bugzilla.redhat.com/show_bug.cgi?id=1403331
@@ -18,8 +18,6 @@ Role Variables
| Name | Default | |
|---------------------------|---------|----------------------------------------|
| os_firewall_use_firewalld | False | If false, use iptables |
-| os_firewall_allow | [] | List of service,port mappings to allow |
-| os_firewall_deny | [] | List of service, port mappings to deny |
Dependencies
------------
@@ -29,34 +27,27 @@ None.
Example Playbook
----------------
-Use iptables and open tcp ports 80 and 443:
+Use iptables:
```
---
- hosts: servers
- vars:
- os_firewall_use_firewalld: false
- os_firewall_allow:
- - service: httpd
- port: 80/tcp
- - service: https
- port: 443/tcp
- roles:
- - os_firewall
+ task:
+ - include_role:
+ name: os_firewall
+ vars:
+ os_firewall_use_firewalld: false
```
-Use firewalld and open tcp port 443 and close previously open tcp port 80:
+Use firewalld:
```
---
- hosts: servers
vars:
- os_firewall_allow:
- - service: https
- port: 443/tcp
- os_firewall_deny:
- - service: httpd
- port: 80/tcp
- roles:
- - os_firewall
+ tasks:
+ - include_role:
+ name: os_firewall
+ vars:
+ os_firewall_use_firewalld: true
```
License
diff --git a/roles/os_firewall/defaults/main.yml b/roles/os_firewall/defaults/main.yml
index 01859e5fc..f96a80f1c 100644
--- a/roles/os_firewall/defaults/main.yml
+++ b/roles/os_firewall/defaults/main.yml
@@ -3,5 +3,3 @@ os_firewall_enabled: True
# firewalld is not supported on Atomic Host
# https://bugzilla.redhat.com/show_bug.cgi?id=1403331
os_firewall_use_firewalld: "{{ False }}"
-os_firewall_allow: []
-os_firewall_deny: []
--
cgit v1.2.3