Create the tripleo-firewall role
This change adds the tripleo-firewall role which will serve as a general purpose filewall configuration interface. The role will leverage iptables and ensure a 1:1 compatibility with existing options coming from tripleo heat templates. Story: 2006030 Task: 34663 Task: 34665 Task: 34666 Change-Id: Ic6d7462d82c9811e95aedf90b7a9d92700f2ebe3 Signed-off-by: Kevin Carter <kecarter@redhat.com>
This commit is contained in:
parent
bc9fe7f827
commit
33669499f9
|
@ -0,0 +1,6 @@
|
|||
=======================
|
||||
Role - tripleo-firewall
|
||||
=======================
|
||||
|
||||
.. ansibleautoplugin::
|
||||
:role: tripleo_ansible/roles/tripleo-firewall
|
|
@ -0,0 +1,32 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
# All variables intended for modification should place placed in this file.
|
||||
|
||||
# All variables within this role should have a prefix of "tripleo_firewall"
|
||||
|
||||
# Example rule definition
|
||||
#
|
||||
# '003 accept ssh from all':
|
||||
# proto: 'tcp'
|
||||
# dport: 22
|
||||
# '002 remove ssh from all':
|
||||
# proto: 'tcp'
|
||||
# dport: 22
|
||||
# extras:
|
||||
# ensure: 'absent'
|
||||
tripleo_firewall_rules: {}
|
|
@ -0,0 +1,41 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
- name: Save firewall rules ipv4
|
||||
command: /usr/libexec/iptables/iptables.init save
|
||||
become: true
|
||||
listen: Save firewall rules
|
||||
|
||||
- name: Save firewall rules ipv6
|
||||
command: /usr/libexec/iptables/ip6tables.init save
|
||||
become: true
|
||||
listen: Save firewall rules
|
||||
|
||||
- name: Enable tripleo-iptables service (and do a daemon-reload systemd)
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
enabled: true
|
||||
name: tripleo-iptables.service
|
||||
failed_when: false
|
||||
listen: Save firewall rules
|
||||
|
||||
- name: Enable tripleo-ip6tables service
|
||||
systemd:
|
||||
enabled: true
|
||||
name: tripleo-ip6tables.service
|
||||
failed_when: false
|
||||
listen: Save firewall rules
|
|
@ -0,0 +1,44 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
galaxy_info:
|
||||
author: OpenStack
|
||||
description: TripleO OpenStack Role -- tripleo-firewall
|
||||
company: Red Hat
|
||||
license: Apache-2.0
|
||||
min_ansible_version: 2.7
|
||||
#
|
||||
# Provide a list of supported platforms, and for each platform a list of versions.
|
||||
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
|
||||
# To view available platforms and versions (or releases), visit:
|
||||
# https://galaxy.ansible.com/api/v1/platforms/
|
||||
#
|
||||
platforms:
|
||||
- name: Fedora
|
||||
versions:
|
||||
- 28
|
||||
- name: CentOS
|
||||
versions:
|
||||
- 7
|
||||
|
||||
galaxy_tags:
|
||||
- tripleo
|
||||
|
||||
|
||||
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
|
||||
# if you add dependencies to this list.
|
||||
dependencies: []
|
|
@ -0,0 +1,54 @@
|
|||
---
|
||||
driver:
|
||||
name: delegated
|
||||
options:
|
||||
managed: false
|
||||
login_cmd_template: >-
|
||||
ssh
|
||||
-o UserKnownHostsFile=/dev/null
|
||||
-o StrictHostKeyChecking=no
|
||||
-o Compression=no
|
||||
-o TCPKeepAlive=yes
|
||||
-o VerifyHostKeyDNS=no
|
||||
-o ForwardX11=no
|
||||
-o ForwardAgent=no
|
||||
{instance}
|
||||
ansible_connection_options:
|
||||
ansible_connection: ssh
|
||||
|
||||
log: true
|
||||
|
||||
platforms:
|
||||
- name: instance
|
||||
|
||||
provisioner:
|
||||
name: ansible
|
||||
config_options:
|
||||
defaults:
|
||||
fact_caching: jsonfile
|
||||
fact_caching_connection: /tmp/molecule/facts
|
||||
inventory:
|
||||
hosts:
|
||||
all:
|
||||
hosts:
|
||||
instance:
|
||||
ansible_host: localhost
|
||||
log: true
|
||||
env:
|
||||
ANSIBLE_STDOUT_CALLBACK: yaml
|
||||
ANSIBLE_ROLES_PATH: "${ANSIBLE_ROLES_PATH}:${HOME}/zuul-jobs/roles"
|
||||
|
||||
scenario:
|
||||
name: default
|
||||
test_sequence:
|
||||
- prepare
|
||||
- converge
|
||||
- verify
|
||||
|
||||
lint:
|
||||
enabled: false
|
||||
|
||||
verifier:
|
||||
name: testinfra
|
||||
lint:
|
||||
name: flake8
|
|
@ -0,0 +1,21 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
- name: Converge
|
||||
hosts: all
|
||||
roles:
|
||||
- role: "tripleo-firewall"
|
|
@ -0,0 +1,21 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
- name: Prepare
|
||||
hosts: all
|
||||
roles:
|
||||
- role: test_deps
|
|
@ -0,0 +1,54 @@
|
|||
---
|
||||
driver:
|
||||
name: delegated
|
||||
options:
|
||||
managed: false
|
||||
login_cmd_template: >-
|
||||
ssh
|
||||
-o UserKnownHostsFile=/dev/null
|
||||
-o StrictHostKeyChecking=no
|
||||
-o Compression=no
|
||||
-o TCPKeepAlive=yes
|
||||
-o VerifyHostKeyDNS=no
|
||||
-o ForwardX11=no
|
||||
-o ForwardAgent=no
|
||||
{instance}
|
||||
ansible_connection_options:
|
||||
ansible_connection: ssh
|
||||
|
||||
log: true
|
||||
|
||||
platforms:
|
||||
- name: instance
|
||||
|
||||
provisioner:
|
||||
name: ansible
|
||||
config_options:
|
||||
defaults:
|
||||
fact_caching: jsonfile
|
||||
fact_caching_connection: /tmp/molecule/facts
|
||||
inventory:
|
||||
hosts:
|
||||
all:
|
||||
hosts:
|
||||
instance:
|
||||
ansible_host: localhost
|
||||
log: true
|
||||
env:
|
||||
ANSIBLE_STDOUT_CALLBACK: yaml
|
||||
ANSIBLE_ROLES_PATH: "${ANSIBLE_ROLES_PATH}:${HOME}/zuul-jobs/roles"
|
||||
|
||||
scenario:
|
||||
name: firewall-add-complex
|
||||
test_sequence:
|
||||
- prepare
|
||||
- converge
|
||||
- verify
|
||||
|
||||
lint:
|
||||
enabled: false
|
||||
|
||||
verifier:
|
||||
name: testinfra
|
||||
lint:
|
||||
name: flake8
|
|
@ -0,0 +1,41 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
- name: Converge
|
||||
hosts: all
|
||||
roles:
|
||||
- role: "tripleo-firewall"
|
||||
tripleo_firewall_rules:
|
||||
'003 accept ftp from all':
|
||||
proto: 'tcp'
|
||||
dport: 21
|
||||
'003 accept custom from all':
|
||||
proto: 'udp'
|
||||
dport:
|
||||
- 2121
|
||||
- 2122
|
||||
- 2123
|
||||
- 2200-2210
|
||||
chain: OUTPUT
|
||||
'003 accept custom tcp from all':
|
||||
proto: 'tcp'
|
||||
dport:
|
||||
- 12121
|
||||
- 12122
|
||||
- 12123
|
||||
- 12200-12210
|
||||
chain: test-chain
|
|
@ -0,0 +1,21 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
- name: Prepare
|
||||
hosts: all
|
||||
roles:
|
||||
- role: test_deps
|
|
@ -0,0 +1,54 @@
|
|||
---
|
||||
driver:
|
||||
name: delegated
|
||||
options:
|
||||
managed: false
|
||||
login_cmd_template: >-
|
||||
ssh
|
||||
-o UserKnownHostsFile=/dev/null
|
||||
-o StrictHostKeyChecking=no
|
||||
-o Compression=no
|
||||
-o TCPKeepAlive=yes
|
||||
-o VerifyHostKeyDNS=no
|
||||
-o ForwardX11=no
|
||||
-o ForwardAgent=no
|
||||
{instance}
|
||||
ansible_connection_options:
|
||||
ansible_connection: ssh
|
||||
|
||||
log: true
|
||||
|
||||
platforms:
|
||||
- name: instance
|
||||
|
||||
provisioner:
|
||||
name: ansible
|
||||
config_options:
|
||||
defaults:
|
||||
fact_caching: jsonfile
|
||||
fact_caching_connection: /tmp/molecule/facts
|
||||
inventory:
|
||||
hosts:
|
||||
all:
|
||||
hosts:
|
||||
instance:
|
||||
ansible_host: localhost
|
||||
log: true
|
||||
env:
|
||||
ANSIBLE_STDOUT_CALLBACK: yaml
|
||||
ANSIBLE_ROLES_PATH: "${ANSIBLE_ROLES_PATH}:${HOME}/zuul-jobs/roles"
|
||||
|
||||
scenario:
|
||||
name: firewall-add
|
||||
test_sequence:
|
||||
- prepare
|
||||
- converge
|
||||
- verify
|
||||
|
||||
lint:
|
||||
enabled: false
|
||||
|
||||
verifier:
|
||||
name: testinfra
|
||||
lint:
|
||||
name: flake8
|
|
@ -0,0 +1,25 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
- name: Converge
|
||||
hosts: all
|
||||
roles:
|
||||
- role: "tripleo-firewall"
|
||||
tripleo_firewall_rules:
|
||||
'003 accept ftp from all':
|
||||
proto: 'tcp'
|
||||
dport: 21
|
|
@ -0,0 +1,21 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
- name: Prepare
|
||||
hosts: all
|
||||
roles:
|
||||
- role: test_deps
|
|
@ -0,0 +1,54 @@
|
|||
---
|
||||
driver:
|
||||
name: delegated
|
||||
options:
|
||||
managed: false
|
||||
login_cmd_template: >-
|
||||
ssh
|
||||
-o UserKnownHostsFile=/dev/null
|
||||
-o StrictHostKeyChecking=no
|
||||
-o Compression=no
|
||||
-o TCPKeepAlive=yes
|
||||
-o VerifyHostKeyDNS=no
|
||||
-o ForwardX11=no
|
||||
-o ForwardAgent=no
|
||||
{instance}
|
||||
ansible_connection_options:
|
||||
ansible_connection: ssh
|
||||
|
||||
log: true
|
||||
|
||||
platforms:
|
||||
- name: instance
|
||||
|
||||
provisioner:
|
||||
name: ansible
|
||||
config_options:
|
||||
defaults:
|
||||
fact_caching: jsonfile
|
||||
fact_caching_connection: /tmp/molecule/facts
|
||||
inventory:
|
||||
hosts:
|
||||
all:
|
||||
hosts:
|
||||
instance:
|
||||
ansible_host: localhost
|
||||
log: true
|
||||
env:
|
||||
ANSIBLE_STDOUT_CALLBACK: yaml
|
||||
ANSIBLE_ROLES_PATH: "${ANSIBLE_ROLES_PATH}:${HOME}/zuul-jobs/roles"
|
||||
|
||||
scenario:
|
||||
name: firewall-remove-complex
|
||||
test_sequence:
|
||||
- prepare
|
||||
- converge
|
||||
- verify
|
||||
|
||||
lint:
|
||||
enabled: false
|
||||
|
||||
verifier:
|
||||
name: testinfra
|
||||
lint:
|
||||
name: flake8
|
|
@ -0,0 +1,47 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
- name: Converge
|
||||
hosts: all
|
||||
roles:
|
||||
- role: "tripleo-firewall"
|
||||
tripleo_firewall_rules:
|
||||
'003 accept ftp from all':
|
||||
proto: 'tcp'
|
||||
dport: 21
|
||||
extras:
|
||||
ensure: 'absent'
|
||||
'003 accept custom from all':
|
||||
proto: 'udp'
|
||||
dport:
|
||||
- 2121
|
||||
- 2122
|
||||
- 2123
|
||||
- 2200-2210
|
||||
extras:
|
||||
ensure: 'absent'
|
||||
chain: OUTPUT
|
||||
'003 accept custom tcp from all':
|
||||
proto: 'tcp'
|
||||
dport:
|
||||
- 12121
|
||||
- 12122
|
||||
- 12123
|
||||
- 12200-12210
|
||||
extras:
|
||||
ensure: 'absent'
|
||||
chain: test-chain
|
|
@ -0,0 +1,21 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
- name: Prepare
|
||||
hosts: all
|
||||
roles:
|
||||
- role: test_deps
|
|
@ -0,0 +1,54 @@
|
|||
---
|
||||
driver:
|
||||
name: delegated
|
||||
options:
|
||||
managed: false
|
||||
login_cmd_template: >-
|
||||
ssh
|
||||
-o UserKnownHostsFile=/dev/null
|
||||
-o StrictHostKeyChecking=no
|
||||
-o Compression=no
|
||||
-o TCPKeepAlive=yes
|
||||
-o VerifyHostKeyDNS=no
|
||||
-o ForwardX11=no
|
||||
-o ForwardAgent=no
|
||||
{instance}
|
||||
ansible_connection_options:
|
||||
ansible_connection: ssh
|
||||
|
||||
log: true
|
||||
|
||||
platforms:
|
||||
- name: instance
|
||||
|
||||
provisioner:
|
||||
name: ansible
|
||||
config_options:
|
||||
defaults:
|
||||
fact_caching: jsonfile
|
||||
fact_caching_connection: /tmp/molecule/facts
|
||||
inventory:
|
||||
hosts:
|
||||
all:
|
||||
hosts:
|
||||
instance:
|
||||
ansible_host: localhost
|
||||
log: true
|
||||
env:
|
||||
ANSIBLE_STDOUT_CALLBACK: yaml
|
||||
ANSIBLE_ROLES_PATH: "${ANSIBLE_ROLES_PATH}:${HOME}/zuul-jobs/roles"
|
||||
|
||||
scenario:
|
||||
name: firewall-remove
|
||||
test_sequence:
|
||||
- prepare
|
||||
- converge
|
||||
- verify
|
||||
|
||||
lint:
|
||||
enabled: false
|
||||
|
||||
verifier:
|
||||
name: testinfra
|
||||
lint:
|
||||
name: flake8
|
|
@ -0,0 +1,27 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
- name: Converge
|
||||
hosts: all
|
||||
roles:
|
||||
- role: "tripleo-firewall"
|
||||
tripleo_firewall_rules:
|
||||
'003 accept ftp from all':
|
||||
proto: 'tcp'
|
||||
dport: 21
|
||||
extras:
|
||||
ensure: 'absent'
|
|
@ -0,0 +1,21 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
- name: Prepare
|
||||
hosts: all
|
||||
roles:
|
||||
- role: test_deps
|
|
@ -0,0 +1,57 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
# "tripleo-firewall" will search for and load any operating system variable file
|
||||
- name: Gather variables for each operating system
|
||||
include_vars: "{{ item }}"
|
||||
with_first_found:
|
||||
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml"
|
||||
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
|
||||
- "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
|
||||
- "{{ ansible_distribution | lower }}.yml"
|
||||
- "{{ ansible_os_family | lower }}-{{ ansible_distribution_version.split('.')[0] }}.yml"
|
||||
- "{{ ansible_os_family | lower }}.yml"
|
||||
tags:
|
||||
- always
|
||||
|
||||
- name: Firewall add block
|
||||
become: true
|
||||
block:
|
||||
- name: Ensure firewall is installed
|
||||
package:
|
||||
name: "{{ tripleo_firewall_packages }}"
|
||||
state: present
|
||||
|
||||
- name: Ensure firewall is enabled
|
||||
systemd:
|
||||
name: iptables
|
||||
state: started
|
||||
enabled: true
|
||||
|
||||
- name: Enable filewall port config
|
||||
include_tasks: tripleo_firewall_add.yml
|
||||
when:
|
||||
- item['rule']['dport'] is defined
|
||||
- tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] == 'present'
|
||||
loop: "{{ tripleo_firewall_rules | dict2items(key_name='rule_name', value_name='rule') }}"
|
||||
|
||||
- name: Disable filewall port config
|
||||
include_tasks: tripleo_firewall_remove.yml
|
||||
when:
|
||||
- item['rule']['dport'] is defined
|
||||
- tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] == 'absent'
|
||||
loop: "{{ tripleo_firewall_rules | dict2items(key_name='rule_name', value_name='rule') }}"
|
|
@ -0,0 +1,85 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
# NOTE(Cloudnull): This task exists because the iptables module will not
|
||||
# create a chain. There is a feature request open for this
|
||||
# [ https://github.com/ansible/ansible/issues/25099 ].
|
||||
# A change has been added to support this functionality but
|
||||
# it is awaiting review and merge.
|
||||
# [ https://github.com/ansible/ansible/pull/32158 ]. When
|
||||
# this change is merged this task should be removed.
|
||||
- name: Ensure chains exist
|
||||
shell: |-
|
||||
EXIT_CODE=0
|
||||
if ! iptables --list "{{ item['rule']['chain'] }}"; then
|
||||
iptables -N "{{ item['rule']['chain'] }}"
|
||||
EXIT_CODE=99
|
||||
fi
|
||||
if ! ip6tables --list "{{ item['rule']['chain'] }}"; then
|
||||
ip6tables -N "{{ item['rule']['chain'] }}"
|
||||
EXIT_CODE=99
|
||||
fi
|
||||
exit ${EXIT_CODE}
|
||||
when:
|
||||
- (item['rule']['chain'] | default('INPUT')) != 'INPUT'
|
||||
register: iptables_chain
|
||||
changed_when: iptables_chain.rc == 99
|
||||
failed_when: not (iptables_chain.rc in [0, 99])
|
||||
|
||||
- name: Add firewall service rule (ipv4)
|
||||
iptables:
|
||||
table: "{{ item['rule']['table'] | default(omit) }}"
|
||||
chain: "{{ item['rule']['chain'] | default('INPUT') }}"
|
||||
in_interface: "{{ item['rule']['interface'] | default(omit) }}"
|
||||
protocol: "{{ item['rule']['proto'] | default('tcp') }}"
|
||||
destination_port: "{{ port | replace('-', ':') }}"
|
||||
source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
|
||||
source: "{{ item['rule']['source'] | default(omit) }}"
|
||||
comment: "{{ item['rule_name'] }} ipv4"
|
||||
jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
|
||||
ctstate: "{{ item['rule']['ctstate'] | default('NEW') }}"
|
||||
ip_version: ipv4
|
||||
state: "present"
|
||||
when:
|
||||
- item['rule']['source'] | default('127.0.0.1') | ipv4
|
||||
loop: "{{ (item['rule']['dport'] is iterable) | ternary(item['rule']['dport'], [item['rule']['dport']]) }}"
|
||||
loop_control:
|
||||
loop_var: port
|
||||
notify:
|
||||
- Save firewall rules
|
||||
|
||||
- name: Add firewall service rule (ipv6)
|
||||
iptables:
|
||||
table: "{{ item['rule']['table'] | default(omit) }}"
|
||||
chain: "{{ item['rule']['chain'] | default('INPUT') }}"
|
||||
in_interface: "{{ item['rule']['interface'] | default(omit) }}"
|
||||
protocol: "{{ item['rule']['proto'] | default('tcp') }}"
|
||||
destination_port: "{{ port | replace('-', ':') }}"
|
||||
source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
|
||||
source: "{{ item['rule']['source'] | default(omit) }}"
|
||||
comment: "{{ item['rule_name'] }} ipv6"
|
||||
jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
|
||||
ctstate: "{{ item['rule']['ctstate'] | default('NEW') }}"
|
||||
ip_version: ipv6
|
||||
state: "present"
|
||||
when:
|
||||
- item['rule']['source'] | default('::') | ipv6
|
||||
loop: "{{ (item['rule']['dport'] is iterable) | ternary(item['rule']['dport'], [item['rule']['dport']]) }}"
|
||||
loop_control:
|
||||
loop_var: port
|
||||
notify:
|
||||
- Save firewall rules
|
|
@ -0,0 +1,60 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
- name: Remove firewall service rule (ipv4)
|
||||
iptables:
|
||||
table: "{{ item['rule']['table'] | default(omit) }}"
|
||||
chain: "{{ item['rule']['chain'] | default('INPUT') }}"
|
||||
in_interface: "{{ item['rule']['interface'] | default(omit) }}"
|
||||
protocol: "{{ item['rule']['proto'] | default('tcp') }}"
|
||||
destination_port: "{{ port | replace('-', ':') }}"
|
||||
source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
|
||||
source: "{{ item['rule']['source'] | default(omit) }}"
|
||||
comment: "{{ item['rule_name'] }} ipv4"
|
||||
jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
|
||||
ctstate: "{{ item['rule']['ctstate'] | default('NEW') }}"
|
||||
ip_version: ipv4
|
||||
state: "absent"
|
||||
when:
|
||||
- item['rule']['source'] | default('127.0.0.1') | ipv4
|
||||
loop: "{{ (item['rule']['dport'] is iterable) | ternary(item['rule']['dport'], [item['rule']['dport']]) }}"
|
||||
loop_control:
|
||||
loop_var: port
|
||||
notify:
|
||||
- Save firewall rules
|
||||
|
||||
- name: Remove firewall service rule (ipv6)
|
||||
iptables:
|
||||
table: "{{ item['rule']['table'] | default(omit) }}"
|
||||
chain: "{{ item['rule']['chain'] | default('INPUT') }}"
|
||||
in_interface: "{{ item['rule']['interface'] | default(omit) }}"
|
||||
protocol: "{{ item['rule']['proto'] | default('tcp') }}"
|
||||
destination_port: "{{ port | replace('-', ':') }}"
|
||||
source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
|
||||
source: "{{ item['rule']['source'] | default(omit) }}"
|
||||
comment: "{{ item['rule_name'] }} ipv6"
|
||||
jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
|
||||
ctstate: "{{ item['rule']['ctstate'] | default('NEW') }}"
|
||||
ip_version: ipv6
|
||||
state: "absent"
|
||||
when:
|
||||
- item['rule']['source'] | default('::') | ipv6
|
||||
loop: "{{ (item['rule']['dport'] is iterable) | ternary(item['rule']['dport'], [item['rule']['dport']]) }}"
|
||||
loop_control:
|
||||
loop_var: port
|
||||
notify:
|
||||
- Save firewall rules
|
|
@ -0,0 +1,25 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
# All variables within this role should have a prefix of "tripleo_firewall"
|
||||
|
||||
# Converts the expected state options to functional states when
|
||||
# interacting with ports.
|
||||
tripleo_firewall_port_states:
|
||||
enabled: 'present'
|
||||
present: 'present'
|
||||
absent: 'absent'
|
||||
disabled: 'absent'
|
|
@ -0,0 +1,23 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
# While options found within the vars/ path can be overridden using extra
|
||||
# vars, items within this path are considered part of the role and not
|
||||
# intended to be modified.
|
||||
|
||||
tripleo_firewall_packages:
|
||||
- iptables-services
|
|
@ -28,6 +28,7 @@
|
|||
- tripleo-ansible-centos-7-molecule-tripleo-upgrade-hiera
|
||||
- tripleo-ansible-centos-7-molecule-tripleo-kernel
|
||||
- tripleo-ansible-centos-7-molecule-tripleo-container-image-prepare
|
||||
- tripleo-ansible-centos-7-molecule-tripleo-firewall
|
||||
gate:
|
||||
jobs:
|
||||
- tripleo-ansible-centos-7-molecule-aide
|
||||
|
@ -56,6 +57,7 @@
|
|||
- tripleo-ansible-centos-7-molecule-tripleo-upgrade-hiera
|
||||
- tripleo-ansible-centos-7-molecule-tripleo-kernel
|
||||
- tripleo-ansible-centos-7-molecule-tripleo-container-image-prepare
|
||||
- tripleo-ansible-centos-7-molecule-tripleo-firewall
|
||||
name: tripleo-ansible-molecule-jobs
|
||||
- job:
|
||||
files:
|
||||
|
@ -247,3 +249,10 @@
|
|||
tripleo_docker_enable_vfs: true
|
||||
tripleo_docker_temp_file: "{{ zuul.executor.work_root }}/.tmp/docker-daemon-{{ inventory_hostname }}.json"
|
||||
tripleo_role_name: tripleo-container-image-prepare
|
||||
- job:
|
||||
files:
|
||||
- ^tripleo_ansible/roles/tripleo-firewall/.*
|
||||
name: tripleo-ansible-centos-7-molecule-tripleo-firewall
|
||||
parent: tripleo-ansible-centos-7-base
|
||||
vars:
|
||||
tripleo_role_name: tripleo-firewall
|
||||
|
|
Loading…
Reference in New Issue