From 079d4221a58f9f9592e423d42323b0a0d80e58a4 Mon Sep 17 00:00:00 2001
From: Juan <jlarriba@redhat.com>
Date: Tue, 19 Jan 2021 15:23:06 +0100
Subject: [PATCH] Opens ports to NFS server's firewalld

If the NFS server firewalld does not open the ports, ReaR cannot correctly mount the NFS server
while performing the backup and/or restore, and subsequently the action fails and the
openstack-ansible playbook stops running.

This change checks whether the server chosen to be NFS server has firewalld running, and implies that
if it is running, the operator must declare the firewalld zone where the ports must be opened.

Closes-Bug: #1912366
Change-Id: Ic6816fa647653baf8297dc62cdd99ee522b86535
---
 .../backup_and_restore/defaults/main.yml      |  3 ++
 .../backup_and_restore/tasks/setup_nfs.yml    | 32 +++++++++++++++++++
 2 files changed, 35 insertions(+)

diff --git a/tripleo_ansible/roles/backup_and_restore/defaults/main.yml b/tripleo_ansible/roles/backup_and_restore/defaults/main.yml
index 61c941aef..91b72e534 100644
--- a/tripleo_ansible/roles/backup_and_restore/defaults/main.yml
+++ b/tripleo_ansible/roles/backup_and_restore/defaults/main.yml
@@ -69,3 +69,6 @@ tripleo_backup_and_restore_ceph_backup_file: "/var/lib/ceph.tar.gz"
 
 # Ceph directory to back up
 tripleo_backup_and_restore_ceph_path: "/var/lib/ceph"
+
+# If there is a firewalld active, setup the zone where the NFS server ports need to be opened
+tripleo_backup_and_restore_firewalld_zone: "libvirt"
diff --git a/tripleo_ansible/roles/backup_and_restore/tasks/setup_nfs.yml b/tripleo_ansible/roles/backup_and_restore/tasks/setup_nfs.yml
index 711999cd5..ae2250077 100644
--- a/tripleo_ansible/roles/backup_and_restore/tasks/setup_nfs.yml
+++ b/tripleo_ansible/roles/backup_and_restore/tasks/setup_nfs.yml
@@ -68,6 +68,38 @@
   tags:
     - bar_setup_nfs_server
 
+- name: Gather status of services running on the system
+  service_facts:
+  register: services_state
+  ignore_errors: true
+  tags:
+    - bar_setup_nfs_server
+
+- name: Open ports in firewalld
+  become: true
+  block:
+    - name: Allow NFS port 111 in the firewall
+      firewalld:
+        port: 111/tcp
+        permanent: true
+        immediate: true
+        state: enabled
+        zone: "{{ tripleo_backup_and_restore_firewalld_zone }}"
+
+    - name: Allow NFS port 2049 in the firewall
+      firewalld:
+        port: 2049/tcp
+        permanent: true
+        immediate: true
+        state: enabled
+        zone: "{{ tripleo_backup_and_restore_firewalld_zone }}"
+  when: >
+        services_state is defined and
+        services_state.ansible_facts.services['firewalld.service'] is defined and
+        services_state.ansible_facts.services['firewalld.service'].state == "running"
+  tags:
+    - bar_setup_nfs_server
+
 - name: Enable the NFS service in the NFS server
   become: true
   systemd: