From 9fffc7bc5241d9994d0a9fb5421520ebe95f28e1 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Wed, 30 Jun 2021 14:35:37 +0100 Subject: [PATCH] Add disable_firewall variable Adds a new variable, 'disable_firewall', which defaults to true. If set to false, then the host firewall will not be disabled during kolla-ansible bootstrap-servers. Change-Id: Ie5131013012f89c8c3b91ca359ad17d9cb77efc8 --- ansible/roles/baremetal/defaults/main.yml | 3 ++ ansible/roles/baremetal/tasks/install.yml | 54 ++++++++++--------- .../bootstrap-servers.rst | 2 + .../disable-firewall-1e1955168c717cb5.yaml | 6 +++ 4 files changed, 39 insertions(+), 26 deletions(-) create mode 100644 releasenotes/notes/disable-firewall-1e1955168c717cb5.yaml diff --git a/ansible/roles/baremetal/defaults/main.yml b/ansible/roles/baremetal/defaults/main.yml index 8b569b5871..ac11091dbd 100644 --- a/ansible/roles/baremetal/defaults/main.yml +++ b/ansible/roles/baremetal/defaults/main.yml @@ -32,6 +32,9 @@ change_selinux: True selinux_state: "permissive" +# If true, the host firewall service (firewalld or ufw) will be disabled. +disable_firewall: True + docker_storage_driver: "" docker_custom_option: "" docker_custom_config: {} diff --git a/ansible/roles/baremetal/tasks/install.yml b/ansible/roles/baremetal/tasks/install.yml index 27886e665c..adb904370f 100644 --- a/ansible/roles/baremetal/tasks/install.yml +++ b/ansible/roles/baremetal/tasks/install.yml @@ -6,34 +6,36 @@ when: ansible_facts.os_family == 'Debian' # TODO(inc0): Gates don't seem to have ufw executable, check for it instead of ignore errors -- name: Set firewall default policy - become: True - ufw: - state: disabled - policy: allow - when: ansible_facts.os_family == 'Debian' - ignore_errors: yes +- block: + - name: Set firewall default policy + become: True + ufw: + state: disabled + policy: allow + when: ansible_facts.os_family == 'Debian' + ignore_errors: yes -- name: Check if firewalld is installed - command: rpm -q firewalld - register: firewalld_check - changed_when: false - failed_when: firewalld_check.rc > 1 - args: - warn: false - when: ansible_facts.os_family == 'RedHat' + - name: Check if firewalld is installed + command: rpm -q firewalld + register: firewalld_check + changed_when: false + failed_when: firewalld_check.rc > 1 + args: + warn: false + when: ansible_facts.os_family == 'RedHat' -- name: Disable firewalld - become: True - service: - name: "{{ item }}" - enabled: false - state: stopped - with_items: - - firewalld - when: - - ansible_facts.os_family == 'RedHat' - - firewalld_check.rc == 0 + - name: Disable firewalld + become: True + service: + name: "{{ item }}" + enabled: false + state: stopped + with_items: + - firewalld + when: + - ansible_facts.os_family == 'RedHat' + - firewalld_check.rc == 0 + when: disable_firewall | bool # Upgrading docker engine may cause containers to stop. Take a snapshot of the # running containers prior to a potential upgrade of Docker. diff --git a/doc/source/reference/deployment-and-bootstrapping/bootstrap-servers.rst b/doc/source/reference/deployment-and-bootstrapping/bootstrap-servers.rst index cef7e95922..24140eba47 100644 --- a/doc/source/reference/deployment-and-bootstrapping/bootstrap-servers.rst +++ b/doc/source/reference/deployment-and-bootstrapping/bootstrap-servers.rst @@ -204,6 +204,8 @@ will be added to allow all traffic. On Red Hat family systems where firewalld is installed, it will be disabled. +This behaviour can be avoided by setting ``disable_firewall`` to ``false``. + Creation of Python virtual environment ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/releasenotes/notes/disable-firewall-1e1955168c717cb5.yaml b/releasenotes/notes/disable-firewall-1e1955168c717cb5.yaml new file mode 100644 index 0000000000..a9c70313b7 --- /dev/null +++ b/releasenotes/notes/disable-firewall-1e1955168c717cb5.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Adds a new variable, ``disable_firewall``, which defaults to ``true``. If + set to ``false``, then the host firewall will not be disabled during + ``kolla-ansible bootstrap-servers``.