refactor firewall management into new role

- Add os_firewall role
- Remove firewall settings from base_os, add wait task to os_firewall
- Added a iptables firewall module for maintaining the following (in a mostly
  naive manner):
  - ensure the OPENSHIFT_ALLOW chain is defined
  - ensure that there is a jump rule in the INPUT chain for OPENSHIFT_ALLOW
  - adds or removes entries from the OPENSHIFT_ALLOW chain
  - issues '/usr/libexec/iptables/iptables.init save' when rules are changed
- Limitations of iptables firewall module
  - only allows setting of ports/protocols to open
  - no testing on ipv6 support
- made os_firewall a dependency of openshift_common
- Hardcoded openshift_common to use iptables (through the vars directory)
  until upstream support is in place for firewalld

1 files changed, 0 insertions, 16 deletions

diff --git a/roles/base_os/tasks/main.yaml b/roles/base_os/tasks/main.yaml
index 51fe1e5b6..aad611f70 100644
--- a/roles/base_os/tasks/main.yaml
+++ b/roles/base_os/tasks/main.yaml
@@ -15,19 +15,3 @@
   yum:
     pkg: bash-completion
     state: installed
-
-- name: Install firewalld
-  yum:
-    pkg: firewalld
-    state: installed
-
-- name: start and enable firewalld service
-  service:
-    name: firewalld
-    state: started
-    enabled: yes
-  register: result
-
-- name: need to pause here, otherwise the firewalld service starting can sometimes cause ssh to fail
-  pause: seconds=10
-  when: result | changed