Add disable_firewall variable

Adds a new variable, 'disable_firewall', which defaults to true. If set to false, then the host firewall will not be disabled during kolla-ansible bootstrap-servers. Change-Id: Ie5131013012f89c8c3b91ca359ad17d9cb77efc8
2021-06-30 14:35:37 +01:00 · 2021-06-30 14:35:37 +01:00 · 9fffc7bc52
parent e63d985ccb
commit 9fffc7bc52
4 changed files with 39 additions and 26 deletions
--- a/ansible/roles/baremetal/defaults/main.yml
+++ b/ansible/roles/baremetal/defaults/main.yml
@ -32,6 +32,9 @@ change_selinux: True

 selinux_state: "permissive"

+# If true, the host firewall service (firewalld or ufw) will be disabled.
+disable_firewall: True
+
 docker_storage_driver: ""
 docker_custom_option: ""
 docker_custom_config: {}
--- a/ansible/roles/baremetal/tasks/install.yml
+++ b/ansible/roles/baremetal/tasks/install.yml
@ -6,34 +6,36 @@
  when: ansible_facts.os_family == 'Debian'

 # TODO(inc0): Gates don't seem to have ufw executable, check for it instead of ignore errors
- name: Set firewall default policy
-  become: True
-  ufw:
-    state: disabled
-    policy: allow
-  when: ansible_facts.os_family == 'Debian'
-  ignore_errors: yes
+- block:
+    - name: Set firewall default policy
+      become: True
+      ufw:
+        state: disabled
+        policy: allow
+      when: ansible_facts.os_family == 'Debian'
+      ignore_errors: yes

- name: Check if firewalld is installed
-  command: rpm -q firewalld
-  register: firewalld_check
-  changed_when: false
-  failed_when: firewalld_check.rc > 1
-  args:
-    warn: false
-  when: ansible_facts.os_family == 'RedHat'
+    - name: Check if firewalld is installed
+      command: rpm -q firewalld
+      register: firewalld_check
+      changed_when: false
+      failed_when: firewalld_check.rc > 1
+      args:
+        warn: false
+      when: ansible_facts.os_family == 'RedHat'

- name: Disable firewalld
-  become: True
-  service:
-    name: "{{ item }}"
-    enabled: false
-    state: stopped
-  with_items:
-    - firewalld
-  when:
-    - ansible_facts.os_family == 'RedHat'
-    - firewalld_check.rc == 0
+    - name: Disable firewalld
+      become: True
+      service:
+        name: "{{ item }}"
+        enabled: false
+        state: stopped
+      with_items:
+        - firewalld
+      when:
+        - ansible_facts.os_family == 'RedHat'
+        - firewalld_check.rc == 0
+  when: disable_firewall | bool

 # Upgrading docker engine may cause containers to stop. Take a snapshot of the
 # running containers prior to a potential upgrade of Docker.
--- a/doc/source/reference/deployment-and-bootstrapping/bootstrap-servers.rst
+++ b/doc/source/reference/deployment-and-bootstrapping/bootstrap-servers.rst
@ -204,6 +204,8 @@ will be added to allow all traffic.

 On Red Hat family systems where firewalld is installed, it will be disabled.

+This behaviour can be avoided by setting ``disable_firewall`` to ``false``.
+
 Creation of Python virtual environment
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--- a/releasenotes/notes/disable-firewall-1e1955168c717cb5.yaml
+++ b/releasenotes/notes/disable-firewall-1e1955168c717cb5.yaml
@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Adds a new variable, ``disable_firewall``, which defaults to ``true``. If
+    set to ``false``, then the host firewall will not be disabled during
+    ``kolla-ansible bootstrap-servers``.