Support configuration of firewalld

Adds support for configuring firewalld for CentOS hosts managed by Kayobe. * create zones * set default zone * set zone for interfaces * define rules Change-Id: Id60e25e129e323f3c07e702bb81a11efc530fb3e Story: 2008991 Task: 42644
2021-06-18 11:26:58 +01:00 · 2021-06-18 11:26:58 +01:00 · 7d15aa16f2
parent f09faa43d1
commit 7d15aa16f2
29 changed files with 631 additions and 3 deletions
--- a/ansible/firewall.yml
+++ b/ansible/firewall.yml
@ -0,0 +1,12 @@
+---
+- name: Ensure firewall is configured
+  hosts: seed-hypervisor:seed:overcloud
+  tags:
+    - config
+    - firewall
+  tasks:
+    - name: Configure the firewall
+      include_role:
+        name: "firewall-{{ ansible_facts.os_family | lower }}"
+      when:
+        - ansible_facts.os_family == 'RedHat'
--- a/ansible/group_vars/all/compute
+++ b/ansible/group_vars/all/compute
@ -133,3 +133,24 @@ compute_sysctl_parameters: {}
 # List of users to create. This should be in a format accepted by the
 # singleplatform-eng.users role.
 compute_users: "{{ users_default }}"
+
+###############################################################################
+# Compute node firewalld configuration.
+
+# Whether to install and enable firewalld.
+compute_firewalld_enabled: false
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+compute_firewalld_zones: []
+
+# A firewalld zone to set as the default. Default is unset, in which case the
+# default zone will not be changed.
+compute_firewalld_default_zone:
+
+# A list of firewall rules to apply. Each item is a dict containing arguments
+# to pass to the firewalld module. Arguments are omitted if not provided, with
+# the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+compute_firewalld_rules: []
--- a/ansible/group_vars/all/controllers
+++ b/ansible/group_vars/all/controllers
@ -155,3 +155,24 @@ controller_sysctl_parameters: {}
 # List of users to create. This should be in a format accepted by the
 # singleplatform-eng.users role.
 controller_users: "{{ users_default }}"
+
+###############################################################################
+# Controller node firewalld configuration.
+
+# Whether to install and enable firewalld.
+controller_firewalld_enabled: false
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+controller_firewalld_zones: []
+
+# A firewalld zone to set as the default. Default is unset, in which case the
+# default zone will not be changed.
+controller_firewalld_default_zone:
+
+# A list of firewall rules to apply. Each item is a dict containing arguments
+# to pass to the firewalld module. Arguments are omitted if not provided, with
+# the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+controller_firewalld_rules: []
--- a/ansible/group_vars/all/monitoring
+++ b/ansible/group_vars/all/monitoring
@ -94,3 +94,24 @@ monitoring_sysctl_parameters: "{{ controller_sysctl_parameters }}"
 # List of users to create. This should be in a format accepted by the
 # singleplatform-eng.users role.
 monitoring_users: "{{ controller_users }}"
+
+###############################################################################
+# Monitoring node firewalld configuration.
+
+# Whether to install and enable firewalld.
+monitoring_firewalld_enabled: "{{ controller_firewalld_enabled }}"
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+monitoring_firewalld_zones: "{{ controller_firewalld_zones }}"
+
+# A firewalld zone to set as the default. Default is unset, in which case the
+# default zone will not be changed.
+monitoring_firewalld_default_zone: "{{ controller_firewalld_default_zone }}"
+
+# A list of firewall rules to apply. Each item is a dict containing arguments
+# to pass to the firewalld module. Arguments are omitted if not provided, with
+# the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+monitoring_firewalld_rules: "{{ controller_firewalld_rules }}"
--- a/ansible/group_vars/all/seed
+++ b/ansible/group_vars/all/seed
@ -113,3 +113,24 @@ seed_users: "{{ users_default }}"
 #     post: "{{ kayobe_env_config_path }}/containers/squid/post.yml"
 #
 seed_containers: {}
+
+###############################################################################
+# Seed node firewalld configuration.
+
+# Whether to install and enable firewalld.
+seed_firewalld_enabled: false
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+seed_firewalld_zones: []
+
+# A firewalld zone to set as the default. Default is unset, in which case the
+# default zone will not be changed.
+seed_firewalld_default_zone:
+
+# A list of firewall rules to apply. Each item is a dict containing arguments
+# to pass to the firewalld module. Arguments are omitted if not provided, with
+# the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+seed_firewalld_rules: []
--- a/ansible/group_vars/all/seed-hypervisor
+++ b/ansible/group_vars/all/seed-hypervisor
@ -128,3 +128,24 @@ seed_hypervisor_sysctl_parameters: {}
 # List of users to create. This should be in a format accepted by the
 # singleplatform-eng.users role.
 seed_hypervisor_users: "{{ users_default }}"
+
+###############################################################################
+# Seed hypervisor node firewalld configuration.
+
+# Whether to install and enable firewalld.
+seed_hypervisor_firewalld_enabled: false
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+seed_hypervisor_firewalld_zones: []
+
+# A firewalld zone to set as the default. Default is unset, in which case the
+# default zone will not be changed.
+seed_hypervisor_firewalld_default_zone:
+
+# A list of firewall rules to apply. Each item is a dict containing arguments
+# to pass to the firewalld module. Arguments are omitted if not provided, with
+# the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+seed_hypervisor_firewalld_rules: []
--- a/ansible/group_vars/all/storage
+++ b/ansible/group_vars/all/storage
@ -145,3 +145,24 @@ storage_sysctl_parameters: {}
 # List of users to create. This should be in a format accepted by the
 # singleplatform-eng.users role.
 storage_users: "{{ users_default }}"
+
+###############################################################################
+# Storage node firewalld configuration.
+
+# Whether to install and enable firewalld.
+storage_firewalld_enabled: false
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+storage_firewalld_zones: []
+
+# A firewalld zone to set as the default. Default is unset, in which case the
+# default zone will not be changed.
+storage_firewalld_default_zone:
+
+# A list of firewall rules to apply. Each item is a dict containing arguments
+# to pass to the firewalld module. Arguments are omitted if not provided, with
+# the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+storage_firewalld_rules: []
--- a/ansible/group_vars/compute/firewall
+++ b/ansible/group_vars/compute/firewall
@ -0,0 +1,21 @@
+---
+###############################################################################
+# Compute node firewalld configuration.
+
+# Whether to install and enable firewalld.
+firewalld_enabled: "{{ compute_firewalld_enabled }}"
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+firewalld_zones: "{{ compute_firewalld_zones }}"
+
+# A firewalld zone to set as the default. Default is unset, in which case the
+# default zone will not be changed.
+firewalld_default_zone: "{{ compute_firewalld_default_zone }}"
+
+# A list of firewall rules to apply. Each item is a dict containing arguments
+# to pass to the firewalld module. Arguments are omitted if not provided, with
+# the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+firewalld_rules: "{{ compute_firewalld_rules }}"
--- a/ansible/group_vars/controllers/firewall
+++ b/ansible/group_vars/controllers/firewall
@ -0,0 +1,21 @@
+---
+###############################################################################
+# Controller node firewalld configuration.
+
+# Whether to install and enable firewalld.
+firewalld_enabled: "{{ controller_firewalld_enabled }}"
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+firewalld_zones: "{{ controller_firewalld_zones }}"
+
+# A firewalld zone to set as the default. Default is unset, in which case the
+# default zone will not be changed.
+firewalld_default_zone: "{{ controller_firewalld_default_zone }}"
+
+# A list of firewall rules to apply. Each item is a dict containing arguments
+# to pass to the firewalld module. Arguments are omitted if not provided, with
+# the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+firewalld_rules: "{{ controller_firewalld_rules }}"
--- a/ansible/group_vars/monitoring/firewall
+++ b/ansible/group_vars/monitoring/firewall
@ -0,0 +1,33 @@
+---
+###############################################################################
+# Monitoring node firewalld configuration.
+
+# Whether to install and enable firewalld.
+firewalld_enabled: >-
+  {{ controller_firewalld_enabled
+     if inventory_hostname in groups['controllers'] else
+     monitoring_firewalld_enabled }}
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+firewalld_zones: >
+  {{ controller_firewalld_zones
+     if inventory_hostname in groups['controllers'] else
+     monitoring_firewalld_zones }}
+
+# A firewalld zone to set as the default. Default is unset, in which case the
+# default zone will not be changed.
+firewalld_default_zone: >-
+  {{ controller_firewalld_default_zone
+     if inventory_hostname in groups['controllers'] else
+     monitoring_firewalld_default_zone }}"
+
+# A list of firewall rules to apply. Each item is a dict containing arguments
+# to pass to the firewalld module. Arguments are omitted if not provided, with
+# the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+firewalld_rules: >
+  {{ controller_firewalld_rules
+     if inventory_hostname in groups['controllers'] else
+     monitoring_firewalld_rules }}"
--- a/ansible/group_vars/seed-hypervisor/firewall
+++ b/ansible/group_vars/seed-hypervisor/firewall
@ -0,0 +1,21 @@
+---
+###############################################################################
+# Seed Hypervisor node firewalld configuration.
+
+# Whether to install and enable firewalld.
+firewalld_enabled: "{{ seed_hypervisor_firewalld_enabled }}"
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+firewalld_zones: "{{ seed_hypervisor_firewalld_zones }}"
+
+# A firewalld zone to set as the default. Default is unset, in which case the
+# default zone will not be changed.
+firewalld_default_zone: "{{ seed_hypervisor_firewalld_default_zone }}"
+
+# A list of firewall rules to apply. Each item is a dict containing arguments
+# to pass to the firewalld module. Arguments are omitted if not provided, with
+# the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+firewalld_rules: "{{ seed_hypervisor_firewalld_rules }}"
--- a/ansible/group_vars/seed/firewall
+++ b/ansible/group_vars/seed/firewall
@ -0,0 +1,21 @@
+---
+###############################################################################
+# Seed node firewalld configuration.
+
+# Whether to install and enable firewalld.
+firewalld_enabled: "{{ seed_firewalld_enabled }}"
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+firewalld_zones: "{{ seed_firewalld_zones }}"
+
+# A firewalld zone to set as the default. Default is unset, in which case the
+# default zone will not be changed.
+firewalld_default_zone: "{{ seed_firewalld_default_zone }}"
+
+# A list of firewall rules to apply. Each item is a dict containing arguments
+# to pass to the firewalld module. Arguments are omitted if not provided, with
+# the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+firewalld_rules: "{{ seed_firewalld_rules }}"
--- a/ansible/group_vars/storage/firewall
+++ b/ansible/group_vars/storage/firewall
@ -0,0 +1,21 @@
+---
+###############################################################################
+# Storage node firewalld configuration.
+
+# Whether to install and enable firewalld.
+firewalld_enabled: "{{ storage_firewalld_enabled }}"
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+firewalld_zones: "{{ storage_firewalld_zones }}"
+
+# A firewalld zone to set as the default. Default is unset, in which case the
+# default zone will not be changed.
+firewalld_default_zone: "{{ storage_firewalld_default_zone }}"
+
+# A list of firewall rules to apply. Each item is a dict containing arguments
+# to pass to the firewalld module. Arguments are omitted if not provided, with
+# the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+firewalld_rules: "{{ storage_firewalld_rules }}"
--- a/ansible/roles/firewall-redhat/defaults/main.yml
+++ b/ansible/roles/firewall-redhat/defaults/main.yml
@ -0,0 +1,18 @@
+---
+# Whether to install and enable firewalld.
+firewalld_enabled: false
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+firewalld_zones: []
+
+# A firewalld zone to set as the default. Default is unset, in which case the
+# default zone will not be changed.
+firewalld_default_zone:
+
+# A list of firewall rules to apply. Each item is a dict containing arguments
+# to pass to the firewalld module. Arguments are omitted if not provided, with
+# the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+firewalld_rules: []
--- a/ansible/roles/firewall-redhat/handlers/main.yml
+++ b/ansible/roles/firewall-redhat/handlers/main.yml
@ -0,0 +1,10 @@
+---
+- name: Restart firewalld
+  service:
+    name: firewalld
+    state: restarted
+  become: true
+
+- name: Check connectivity after firewalld restart
+  ping:
+  listen: Restart firewalld
--- a/ansible/roles/firewall-redhat/tasks/disabled.yml
+++ b/ansible/roles/firewall-redhat/tasks/disabled.yml
@ -0,0 +1,18 @@
+---
+- name: Ensure firewalld service is stopped and disabled
+  service:
+    name: firewalld
+    enabled: false
+    state: stopped
+  become: true
+  register: firewalld_result
+  failed_when:
+    - firewalld_result is failed
+    # Ugh, Ansible's service module doesn't handle uninstalled services.
+    - "'Could not find the requested service' not in firewalld_result.msg"
+
+- name: Ensure firewalld package is uninstalled
+  package:
+    name: firewalld
+    state: absent
+  become: true
--- a/ansible/roles/firewall-redhat/tasks/enabled.yml
+++ b/ansible/roles/firewall-redhat/tasks/enabled.yml
@ -0,0 +1,71 @@
+---
+- name: Ensure firewalld package is installed
+  package:
+    name: firewalld
+  become: true
+
+- name: Ensure firewalld service is enabled
+  service:
+    name: firewalld
+    enabled: true
+    # FIXME: should be possible to configure firewalld offline, but it fails to
+    # apply config.
+    state: started
+  become: true
+
+- block:
+    - name: Get firewalld current default zone
+      command:
+        cmd: "firewall-offline-cmd --get-default-zone"
+      changed_when: false
+      register: current_default_zone
+
+    - name: Set firewalld default zone
+      command: "firewall-offline-cmd --set-default-zone {{ firewalld_default_zone }}"
+      when: current_default_zone.stdout != firewalld_default_zone
+      notify: Restart firewalld
+  become: true
+  when:
+    - firewalld_default_zone is not none
+    - firewalld_default_zone | length > 0
+
+- name: Ensure firewalld zones exist
+  firewalld:
+    offline: true
+    permanent: true
+    state: "{{ item.state | default('present') }}"
+    zone: "{{ item.zone }}"
+  become: true
+  loop: "{{ firewalld_zones }}"
+
+- name: Set firewalld zones for network interfaces
+  firewalld:
+    interface: "{{ item | net_interface }}"
+    offline: true
+    permanent: true
+    state: enabled
+    zone: "{{ item | net_zone }}"
+  become: true
+  loop: "{{ network_interfaces }}"
+  when: item | net_zone
+  notify: Restart firewalld
+
+- name: Ensure firewalld rules are applied
+  firewalld:
+    icmp_block: "{{ item.icmp_block | default(omit) }}"
+    icmp_block_inversion: "{{ item.icmp_block_inversion | default(omit) }}"
+    immediate: "{{ item.immediate | default(omit) }}"
+    interface: "{{ item.interface | default(omit) }}"
+    masquerade: "{{ item.masquerade | default(omit) }}"
+    offline: "{{ item.offline | default(true) }}"
+    permanent: "{{ item.permanent | default(true) }}"
+    port: "{{ item.port | default(omit) }}"
+    rich_rule: "{{ item.rich_rule | default(omit) }}"
+    service: "{{ item.service | default(omit) }}"
+    source: "{{ item.source | default(omit) }}"
+    state: "{{ item.state | default('enabled') }}"
+    timeout: "{{ item.timeout | default(omit) }}"
+    zone: "{{ item.zone | default(omit) }}"
+  become: true
+  loop: "{{ firewalld_rules }}"
+  notify: Restart firewalld
--- a/ansible/roles/firewall-redhat/tasks/main.yml
+++ b/ansible/roles/firewall-redhat/tasks/main.yml
@ -0,0 +1,3 @@
+---
+- name: Include tasks
+  include_tasks: "{{ 'enabled' if firewalld_enabled | bool else 'disabled' }}.yml"
--- a/ansible/roles/kolla-ansible/templates/globals.yml.j2
+++ b/ansible/roles/kolla-ansible/templates/globals.yml.j2
@ -565,6 +565,9 @@ kolla_group: "{{ kolla_ansible_group }}"
 virtualenv: {{ kolla_ansible_target_venv }}
 {% endif %}

+# Avoid disabling the firewall on CentOS, since we manage it in Kayobe.
+disable_firewall: "{% raw %}{{ ansible_facts.os_family == 'Debian' }}{% endraw %}"
+
 {% if kolla_extra_globals %}
 #######################
 # Extra configuration
--- a/doc/source/configuration/reference/hosts.rst
+++ b/doc/source/configuration/reference/hosts.rst
@ -328,6 +328,98 @@ Network Configuration
 Configuration of host networking is covered in depth in
 :ref:`configuration-network`.

+Firewalld
+=========
+*tags:*
+  | ``firewall``
+
+.. note:: Firewalld is supported on CentOS systems only. Currently no
+          firewall is supported on Ubuntu.
+
+Firewalld can be used to provide a firewall on CentOS systems. Since the Xena
+release, Kayobe provides support for enabling or disabling firewalld, as well
+as defining zones and rules.
+
+The following variables can be used to set whether to enable firewalld:
+
+* ``seed_hypervisor_firewalld_enabled``
+* ``seed_firewalld_enabled``
+* ``compute_firewalld_enabled``
+* ``controller_firewalld_enabled``
+* ``monitoring_firewalld_enabled``
+* ``storage_firewalld_enabled``
+
+When firewalld is enabled, the following variables can be used to configure a
+list of zones to create. Each item is a dict containing a ``zone`` item:
+
+* ``seed_hypervisor_firewalld_zones``
+* ``seed_firewalld_zones``
+* ``compute_firewalld_zones``
+* ``controller_firewalld_zones``
+* ``monitoring_firewalld_zones``
+* ``storage_firewalld_zones``
+
+The following variables can be used to set a default zone. The default is
+unset, in which case the default zone will not be changed:
+
+* ``seed_hypervisor_firewalld_default_zone``
+* ``seed_firewalld_default_zone``
+* ``compute_firewalld_default_zone``
+* ``controller_firewalld_default_zone``
+* ``monitoring_firewalld_default_zone``
+* ``storage_firewalld_default_zone``
+
+The following variables can be used to set a list of rules to apply. Each item
+is a dict containing arguments to pass to the ``firewalld`` module. Arguments
+are omitted if not provided, with the following exceptions: ``offline``
+(default ``true``), ``permanent`` (default ``true``), ``state`` (default
+``enabled``):
+
+* ``seed_hypervisor_firewalld_rules``
+* ``seed_firewalld_rules``
+* ``compute_firewalld_rules``
+* ``controller_firewalld_rules``
+* ``monitoring_firewalld_rules``
+* ``storage_firewalld_rules``
+
+In the following example, firewalld is enabled on controllers. ``public`` and
+``internal`` zones are created, with their default rules disabled. TCP port
+8080 is open in the ``internal`` zone, and the ``http`` service is open in the
+``public`` zone:
+
+.. code-block:: yaml
+
+   controller_firewalld_enabled: true
+
+   controller_firewalld_zones:
+     - zone: public
+     - zone: internal
+
+   controller_firewalld_rules:
+     # Disable default rules in internal zone.
+     - service: dhcpv6-client
+       state: disabled
+       zone: internal
+     - service: samba-client
+       state: disabled
+       zone: internal
+     - service: ssh
+       state: disabled
+       zone: internal
+     # Disable default rules in public zone.
+     - service: dhcpv6-client
+       state: disabled
+       zone: public
+     - service: ssh
+       state: disabled
+       zone: public
+     # Enable TCP port 8080 in internal zone.
+     - port: 8080/tcp
+       zone: internal
+     # Enable the HTTP service in the public zone.
+     - service: http
+       zone: public
+
 Sysctls
 =======
 *tags:*
--- a/etc/kayobe/compute.yml
+++ b/etc/kayobe/compute.yml
@ -115,6 +115,27 @@
 # singleplatform-eng.users role.
 #compute_users:

+###############################################################################
+# Compute node firewalld configuration.
+
+# Whether to install and enable firewalld.
+#compute_firewalld_enabled:
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+#compute_firewalld_zones:
+
+# A firewalld zone to set as the default. Default is unset, in which case the
+# default zone will not be changed.
+#compute_firewalld_default_zone:
+
+# A list of firewall rules to apply. Each item is a dict containing arguments
+# to pass to the firewalld module. Arguments are omitted if not provided, with
+# the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+#compute_firewalld_rules:
+
 ###############################################################################
 # Dummy variable to allow Ansible to accept this file.
 workaround_ansible_issue_8743: yes
--- a/etc/kayobe/controllers.yml
+++ b/etc/kayobe/controllers.yml
@ -124,6 +124,27 @@
 # singleplatform-eng.users role.
 #controller_users:

+###############################################################################
+# Controller node firewalld configuration.
+
+# Whether to install and enable firewalld.
+#controller_firewalld_enabled:
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+#controller_firewalld_zones:
+
+# A firewalld zone to set as the default. Default is unset, in which case the
+# default zone will not be changed.
+#controller_firewalld_default_zone:
+
+# A list of firewall rules to apply. Each item is a dict containing arguments
+# to pass to the firewalld module. Arguments are omitted if not provided, with
+# the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+#controller_firewalld_rules:
+
 ###############################################################################
 # Dummy variable to allow Ansible to accept this file.
 workaround_ansible_issue_8743: yes
--- a/etc/kayobe/monitoring.yml
+++ b/etc/kayobe/monitoring.yml
@ -88,6 +88,27 @@
 # singleplatform-eng.users role.
 #monitoring_users:

+###############################################################################
+# Monitoring node firewalld configuration.
+
+# Whether to install and enable firewalld.
+#monitoring_firewalld_enabled:
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+#monitoring_firewalld_zones:
+
+# A firewalld zone to set as the default. Default is unset, in which case the
+# default zone will not be changed.
+#monitoring_firewalld_default_zone:
+
+# A list of firewall rules to apply. Each item is a dict containing arguments
+# to pass to the firewalld module. Arguments are omitted if not provided, with
+# the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+#monitoring_firewalld_rules:
+
 ###############################################################################
 # Dummy variable to allow Ansible to accept this file.
 workaround_ansible_issue_8743: yes
--- a/etc/kayobe/seed-hypervisor.yml
+++ b/etc/kayobe/seed-hypervisor.yml
@ -104,6 +104,27 @@
 # singleplatform-eng.users role.
 #seed_hypervisor_users:

+###############################################################################
+# Seed hypervisor node firewalld configuration.
+
+# Whether to install and enable firewalld.
+#seed_hypervisor_firewalld_enabled:
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+#seed_hypervisor_firewalld_zones:
+
+# A firewalld zone to set as the default. Default is unset, in which case the
+# default zone will not be changed.
+#seed_hypervisor_firewalld_default_zone:
+
+# A list of firewall rules to apply. Each item is a dict containing arguments
+# to pass to the firewalld module. Arguments are omitted if not provided, with
+# the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+#seed_hypervisor_firewalld_rules:
+
 ###############################################################################
 # Dummy variable to allow Ansible to accept this file.
 workaround_ansible_issue_8743: yes
--- a/etc/kayobe/seed.yml
+++ b/etc/kayobe/seed.yml
@ -97,6 +97,27 @@
 #
 #seed_containers:

+###############################################################################
+# Seed node firewalld configuration.
+
+# Whether to install and enable firewalld.
+#seed_firewalld_enabled:
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+#seed_firewalld_zones:
+
+# A firewalld zone to set as the default. Default is unset, in which case the
+# default zone will not be changed.
+#seed_firewalld_default_zone:
+
+# A list of firewall rules to apply. Each item is a dict containing arguments
+# to pass to the firewalld module. Arguments are omitted if not provided, with
+# the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+#seed_firewalld_rules:
+
 ###############################################################################
 # Dummy variable to allow Ansible to accept this file.
 workaround_ansible_issue_8743: yes
--- a/etc/kayobe/storage.yml
+++ b/etc/kayobe/storage.yml
@ -120,6 +120,27 @@
 # singleplatform-eng.users role.
 #storage_users:

+###############################################################################
+# Storage node firewalld configuration.
+
+# Whether to install and enable firewalld.
+#storage_firewalld_enabled:
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+#storage_firewalld_zones:
+
+# A firewalld zone to set as the default. Default is unset, in which case the
+# default zone will not be changed.
+#storage_firewalld_default_zone:
+
+# A list of firewall rules to apply. Each item is a dict containing arguments
+# to pass to the firewalld module. Arguments are omitted if not provided, with
+# the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+#storage_firewalld_rules:
+
 ###############################################################################
 # Dummy variable to allow Ansible to accept this file.
 workaround_ansible_issue_8743: yes
--- a/kayobe/cli/commands.py
+++ b/kayobe/cli/commands.py
@ -413,6 +413,7 @@ class SeedHypervisorHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin,
    * Optionally, wipe unmounted disk partitions (--wipe-disks).
    * Configure user accounts, group associations, and authorised SSH keys.
    * Configure the host's network interfaces.
+    * Configure a firewall.
    * Set sysctl parameters.
    * Configure timezone and ntp.
    * Optionally, configure software RAID arrays.
@ -453,7 +454,7 @@ class SeedHypervisorHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin,
        if parsed_args.wipe_disks:
            playbooks += _build_playbook_list("wipe-disks")
        playbooks += _build_playbook_list(
-            "users", "dev-tools", "network", "sysctl", "time",
+            "users", "dev-tools", "network", "firewall", "sysctl", "time",
            "mdadm", "luks", "lvm", "seed-hypervisor-libvirt-host")
        self.run_kayobe_playbooks(parsed_args, playbooks,
                                  limit="seed-hypervisor")
@ -571,6 +572,7 @@ class SeedHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin,
    * Configure user accounts, group associations, and authorised SSH keys.
    * Disable SELinux.
    * Configure the host's network interfaces.
+    * Configure a firewall.
    * Set sysctl parameters.
    * Configure IP routing and source NAT.
    * Disable bootstrap interface configuration.
@ -607,7 +609,7 @@ class SeedHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin,
        if parsed_args.wipe_disks:
            playbooks += _build_playbook_list("wipe-disks")
        playbooks += _build_playbook_list(
-            "users", "dev-tools", "disable-selinux", "network",
+            "users", "dev-tools", "disable-selinux", "network", "firewall",
            "sysctl", "ip-routing", "snat", "disable-glean", "time",
            "mdadm", "luks", "lvm", "docker-devicemapper",
            "kolla-ansible-user", "kolla-pip", "kolla-target-venv")
@ -946,6 +948,7 @@ class OvercloudHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin,
    * Configure user accounts, group associations, and authorised SSH keys.
    * Disable SELinux.
    * Configure the host's network interfaces.
+    * Configure a firewall.
    * Set sysctl parameters.
    * Disable bootstrap interface configuration.
    * Configure timezone and ntp.
@ -980,7 +983,7 @@ class OvercloudHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin,
        if parsed_args.wipe_disks:
            playbooks += _build_playbook_list("wipe-disks")
        playbooks += _build_playbook_list(
-            "users", "dev-tools", "disable-selinux", "network",
+            "users", "dev-tools", "disable-selinux", "network", "firewall",
            "sysctl", "disable-glean", "disable-cloud-init", "time",
            "mdadm", "luks", "lvm", "docker-devicemapper",
            "kolla-ansible-user", "kolla-pip", "kolla-target-venv")
--- a/kayobe/tests/unit/cli/test_commands.py
+++ b/kayobe/tests/unit/cli/test_commands.py
@ -324,6 +324,7 @@ class TestCase(unittest.TestCase):
                    utils.get_data_files_path("ansible", "users.yml"),
                    utils.get_data_files_path("ansible", "dev-tools.yml"),
                    utils.get_data_files_path("ansible", "network.yml"),
+                    utils.get_data_files_path("ansible", "firewall.yml"),
                    utils.get_data_files_path("ansible", "sysctl.yml"),
                    utils.get_data_files_path("ansible", "time.yml"),
                    utils.get_data_files_path("ansible", "mdadm.yml"),
@ -496,6 +497,7 @@ class TestCase(unittest.TestCase):
                    utils.get_data_files_path(
                        "ansible", "disable-selinux.yml"),
                    utils.get_data_files_path("ansible", "network.yml"),
+                    utils.get_data_files_path("ansible", "firewall.yml"),
                    utils.get_data_files_path("ansible", "sysctl.yml"),
                    utils.get_data_files_path("ansible", "ip-routing.yml"),
                    utils.get_data_files_path("ansible", "snat.yml"),
@ -1041,6 +1043,7 @@ class TestCase(unittest.TestCase):
                    utils.get_data_files_path(
                        "ansible", "disable-selinux.yml"),
                    utils.get_data_files_path("ansible", "network.yml"),
+                    utils.get_data_files_path("ansible", "firewall.yml"),
                    utils.get_data_files_path("ansible", "sysctl.yml"),
                    utils.get_data_files_path("ansible", "disable-glean.yml"),
                    utils.get_data_files_path(
--- a/releasenotes/notes/firewalld-48dd2efd52c79252.yaml
+++ b/releasenotes/notes/firewalld-48dd2efd52c79252.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Adds support for configuring a firewall via firewalld on CentOS. See `story
+    2008991 <https://storyboard.openstack.org/#!/story/2008991>`__ for details.