diff options
Diffstat (limited to 'roles/os_firewall')
-rw-r--r-- | roles/os_firewall/README.md | 60 | ||||
-rw-r--r-- | roles/os_firewall/defaults/main.yml | 5 | ||||
-rw-r--r-- | roles/os_firewall/tasks/firewalld.yml | 57 | ||||
-rw-r--r-- | roles/os_firewall/tasks/iptables.yml | 41 | ||||
-rw-r--r-- | roles/os_firewall/tasks/main.yml | 19 |
5 files changed, 182 insertions, 0 deletions
diff --git a/roles/os_firewall/README.md b/roles/os_firewall/README.md new file mode 100644 index 000000000..be0b8291a --- /dev/null +++ b/roles/os_firewall/README.md @@ -0,0 +1,60 @@ +OS Firewall +=========== + +OS Firewall manages firewalld and iptables installation. +case. + +Note: firewalld is not supported on Atomic Host +https://bugzilla.redhat.com/show_bug.cgi?id=1403331 + +Requirements +------------ + +Ansible 2.2 + +Role Variables +-------------- + +| Name | Default | | +|---------------------------|---------|----------------------------------------| +| os_firewall_use_firewalld | False | If false, use iptables | + +Dependencies +------------ + +None. + +Example Playbook +---------------- + +Use iptables: +``` +--- +- hosts: servers + task: + - include_role: + name: os_firewall + vars: + os_firewall_use_firewalld: false +``` + +Use firewalld: +``` +--- +- hosts: servers + vars: + tasks: + - include_role: + name: os_firewall + vars: + os_firewall_use_firewalld: true +``` + +License +------- + +Apache License, Version 2.0 + +Author Information +------------------ +Jason DeTiberus - jdetiber@redhat.com diff --git a/roles/os_firewall/defaults/main.yml b/roles/os_firewall/defaults/main.yml new file mode 100644 index 000000000..2cae94411 --- /dev/null +++ b/roles/os_firewall/defaults/main.yml @@ -0,0 +1,5 @@ +--- +os_firewall_enabled: True +# firewalld is not supported on Atomic Host +# https://bugzilla.redhat.com/show_bug.cgi?id=1403331 +os_firewall_use_firewalld: False diff --git a/roles/os_firewall/tasks/firewalld.yml b/roles/os_firewall/tasks/firewalld.yml new file mode 100644 index 000000000..54430f402 --- /dev/null +++ b/roles/os_firewall/tasks/firewalld.yml @@ -0,0 +1,57 @@ +--- +- name: Fail - Firewalld is not supported on Atomic Host + fail: + msg: "Firewalld is not supported on Atomic Host" + when: r_os_firewall_is_atomic | bool + +- name: Install firewalld packages + package: + name: firewalld + state: present + +- name: Ensure iptables services are not enabled + systemd: + name: "{{ item }}" + state: stopped + enabled: no + masked: yes + with_items: + - iptables + - ip6tables + register: task_result + failed_when: task_result|failed and 'could not' not in task_result.msg|lower + +- name: Wait 10 seconds after disabling iptables + pause: + seconds: 10 + when: task_result | changed + +- name: Start and enable firewalld service + systemd: + name: firewalld + state: started + enabled: yes + masked: no + daemon_reload: yes + register: result + +- name: need to pause here, otherwise the firewalld service starting can sometimes cause ssh to fail + pause: + seconds: 10 + when: result | changed + +- name: Restart polkitd + systemd: + name: polkit + state: restarted + when: result | changed + +# Fix suspected race between firewalld and polkit BZ1436964 +- name: Wait for polkit action to have been created + command: pkaction --action-id=org.fedoraproject.FirewallD1.config.info + ignore_errors: true + register: pkaction + changed_when: false + until: pkaction.rc == 0 + retries: 6 + delay: 10 diff --git a/roles/os_firewall/tasks/iptables.yml b/roles/os_firewall/tasks/iptables.yml new file mode 100644 index 000000000..2d74f2e48 --- /dev/null +++ b/roles/os_firewall/tasks/iptables.yml @@ -0,0 +1,41 @@ +--- + +- name: Ensure firewalld service is not enabled + systemd: + name: firewalld + state: stopped + enabled: no + masked: yes + register: task_result + failed_when: task_result|failed and 'could not' not in task_result.msg|lower + +- name: Wait 10 seconds after disabling firewalld + pause: + seconds: 10 + when: task_result | changed + +- name: Install iptables packages + package: + name: "{{ item }}" + state: present + with_items: + - iptables + - iptables-services + when: not r_os_firewall_is_atomic | bool + +- name: Start and enable iptables service + systemd: + name: iptables + state: started + enabled: yes + masked: no + daemon_reload: yes + register: result + delegate_to: "{{item}}" + run_once: true + with_items: "{{ ansible_play_batch }}" + +- name: need to pause here, otherwise the iptables service starting can sometimes cause ssh to fail + pause: + seconds: 10 + when: result | changed diff --git a/roles/os_firewall/tasks/main.yml b/roles/os_firewall/tasks/main.yml new file mode 100644 index 000000000..c477d386c --- /dev/null +++ b/roles/os_firewall/tasks/main.yml @@ -0,0 +1,19 @@ +--- +- name: Detecting Atomic Host Operating System + stat: + path: /run/ostree-booted + register: r_os_firewall_ostree_booted + +- name: Set fact r_os_firewall_is_atomic + set_fact: + r_os_firewall_is_atomic: "{{ r_os_firewall_ostree_booted.stat.exists }}" + +- include: firewalld.yml + when: + - os_firewall_enabled | bool + - os_firewall_use_firewalld | bool + +- include: iptables.yml + when: + - os_firewall_enabled | bool + - not os_firewall_use_firewalld | bool |