Merge "Add disable_firewall variable"

ansible/roles/baremetal/defaults/main.yml

@@ -32,6 +32,9 @@ change_selinux: True
 
 selinux_state: "permissive"
 
+# If true, the host firewall service (firewalld or ufw) will be disabled.
+disable_firewall: True
+
 docker_storage_driver: ""
 docker_custom_option: ""
 docker_custom_config: {}

ansible/roles/baremetal/tasks/install.yml

@@ -6,6 +6,7 @@
   when: ansible_facts.os_family == 'Debian'
 
 # TODO(inc0): Gates don't seem to have ufw executable, check for it instead of ignore errors
+- block:
     - name: Set firewall default policy
       become: True
       ufw:
@@ -34,6 +35,7 @@
       when:
         - ansible_facts.os_family == 'RedHat'
         - firewalld_check.rc == 0
+  when: disable_firewall | bool
 
 # Upgrading docker engine may cause containers to stop. Take a snapshot of the
 # running containers prior to a potential upgrade of Docker.

doc/source/reference/deployment-and-bootstrapping/bootstrap-servers.rst

@@ -207,6 +207,8 @@ will be added to allow all traffic.
 
 On Red Hat family systems where firewalld is installed, it will be disabled.
 
+This behaviour can be avoided by setting ``disable_firewall`` to ``false``.
+
 Creation of Python virtual environment
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

releasenotes/notes/disable-firewall-1e1955168c717cb5.yaml

@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Adds a new variable, ``disable_firewall``, which defaults to ``true``. If
+    set to ``false``, then the host firewall will not be disabled during
+    ``kolla-ansible bootstrap-servers``.