Merge "Apply public firewalld rules immediately"

ansible/roles/haproxy-config/tasks/main.yml

@@ -54,8 +54,9 @@
 
 - name: "Configuring firewall for {{ project_name }}"
   firewalld:
-    offline: "yes"
+    immediate: true
-    permanent: "yes"
+    offline: true
+    permanent: true
     port: "{{ item.value.port }}/tcp"
     state: "enabled"
     zone: "{{ external_api_firewalld_zone }}"
@@ -68,5 +69,3 @@
     - enable_external_api_firewalld | bool
     - kolla_action != "config"
   with_dict: "{{ project_services | extract_haproxy_services }}"
-  notify:
-    - "Reload firewalld"

ansible/roles/loadbalancer/handlers/main.yml

@@ -1,10 +1,4 @@
 ---
-- name: Reload firewalld
-  become: True
-  service:
-    name: "firewalld"
-    state: reloaded
-
 # NOTE(yoctozepto): this handler dance is to ensure we delay restarting master
 # keepalived and haproxy which control VIP address until we have working backups.
 # This could be improved by checking if backup keepalived do not report FAULT state.

releasenotes/notes/firewalld-immediate-c2abf09977c455a9.yaml

@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Modifies public API firewalld rules to be applied immediately to a running
+    firewalld service. This requires firewalld to be running, but avoids
+    reloading firewalld, which is disruptive due to the way in which firewalld
+    builds its firewall chains.