From 9fffc7bc5241d9994d0a9fb5421520ebe95f28e1 Mon Sep 17 00:00:00 2001
From: Mark Goddard <mark@stackhpc.com>
Date: Wed, 30 Jun 2021 14:35:37 +0100
Subject: [PATCH] Add disable_firewall variable
Adds a new variable, 'disable_firewall', which defaults to true. If set
to false, then the host firewall will not be disabled during
kolla-ansible bootstrap-servers.
Change-Id: Ie5131013012f89c8c3b91ca359ad17d9cb77efc8
---
ansible/roles/baremetal/defaults/main.yml | 3 ++
ansible/roles/baremetal/tasks/install.yml | 54 ++++++++++---------
.../bootstrap-servers.rst | 2 +
.../disable-firewall-1e1955168c717cb5.yaml | 6 +++
4 files changed, 39 insertions(+), 26 deletions(-)
create mode 100644 releasenotes/notes/disable-firewall-1e1955168c717cb5.yaml
diff --git a/ansible/roles/baremetal/defaults/main.yml b/ansible/roles/baremetal/defaults/main.yml
index 8b569b5871..ac11091dbd 100644
--- a/ansible/roles/baremetal/defaults/main.yml
+++ b/ansible/roles/baremetal/defaults/main.yml
@@ -32,6 +32,9 @@ change_selinux: True
selinux_state: "permissive"
+# If true, the host firewall service (firewalld or ufw) will be disabled.
+disable_firewall: True
+
docker_storage_driver: ""
docker_custom_option: ""
docker_custom_config: {}
diff --git a/ansible/roles/baremetal/tasks/install.yml b/ansible/roles/baremetal/tasks/install.yml
index 27886e665c..adb904370f 100644
--- a/ansible/roles/baremetal/tasks/install.yml
+++ b/ansible/roles/baremetal/tasks/install.yml
@@ -6,34 +6,36 @@
when: ansible_facts.os_family == 'Debian'
# TODO(inc0): Gates don't seem to have ufw executable, check for it instead of ignore errors
-- name: Set firewall default policy
- become: True
- ufw:
- state: disabled
- policy: allow
- when: ansible_facts.os_family == 'Debian'
- ignore_errors: yes
+- block:
+ - name: Set firewall default policy
+ become: True
+ ufw:
+ state: disabled
+ policy: allow
+ when: ansible_facts.os_family == 'Debian'
+ ignore_errors: yes
-- name: Check if firewalld is installed
- command: rpm -q firewalld
- register: firewalld_check
- changed_when: false
- failed_when: firewalld_check.rc > 1
- args:
- warn: false
- when: ansible_facts.os_family == 'RedHat'
+ - name: Check if firewalld is installed
+ command: rpm -q firewalld
+ register: firewalld_check
+ changed_when: false
+ failed_when: firewalld_check.rc > 1
+ args:
+ warn: false
+ when: ansible_facts.os_family == 'RedHat'
-- name: Disable firewalld
- become: True
- service:
- name: "{{ item }}"
- enabled: false
- state: stopped
- with_items:
- - firewalld
- when:
- - ansible_facts.os_family == 'RedHat'
- - firewalld_check.rc == 0
+ - name: Disable firewalld
+ become: True
+ service:
+ name: "{{ item }}"
+ enabled: false
+ state: stopped
+ with_items:
+ - firewalld
+ when:
+ - ansible_facts.os_family == 'RedHat'
+ - firewalld_check.rc == 0
+ when: disable_firewall | bool
# Upgrading docker engine may cause containers to stop. Take a snapshot of the
# running containers prior to a potential upgrade of Docker.
diff --git a/doc/source/reference/deployment-and-bootstrapping/bootstrap-servers.rst b/doc/source/reference/deployment-and-bootstrapping/bootstrap-servers.rst
index cef7e95922..24140eba47 100644
--- a/doc/source/reference/deployment-and-bootstrapping/bootstrap-servers.rst
+++ b/doc/source/reference/deployment-and-bootstrapping/bootstrap-servers.rst
@@ -204,6 +204,8 @@ will be added to allow all traffic.
On Red Hat family systems where firewalld is installed, it will be disabled.
+This behaviour can be avoided by setting ``disable_firewall`` to ``false``.
+
Creation of Python virtual environment
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
diff --git a/releasenotes/notes/disable-firewall-1e1955168c717cb5.yaml b/releasenotes/notes/disable-firewall-1e1955168c717cb5.yaml
new file mode 100644
index 0000000000..a9c70313b7
--- /dev/null
+++ b/releasenotes/notes/disable-firewall-1e1955168c717cb5.yaml
@@ -0,0 +1,6 @@
+---
+features:
+ - |
+ Adds a new variable, ``disable_firewall``, which defaults to ``true``. If
+ set to ``false``, then the host firewall will not be disabled during
+ ``kolla-ansible bootstrap-servers``.