openstack/tripleo-ansible
Code Issues Proposed changes

Clean tripleo_iptables related resources

Browse Source 
Now that we've switched to nftables, it's time to remove
tripleo_iptables related resources. We don't want to support both
interfaces, since nftables is the future of the NetFilter interface (for
now).

We remove most of molecule tests as well since we're already testing
nftables directly in tripleo_nftables. tripleo_firewall is now a wrapper
ensuring proper service is enabled, and rules are properly listed.

We keep tripleo_firewall since it allows a smooth migration to whatever
engine the future will provide.

Change-Id: If9bdb915b28e33afd9ec2a487ccad5de3498188b
This commit is contained in:
Cédric Jeanneret 2022-10-03 07:43:52 +02:00
parent 2fb7c2c7e2
commit cf587dd009
25 changed files with 7 additions and 972 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.ansible-lint
View File

@ -48,7 +48,6 @@ mock_modules:
- tripleo_get_introspected_data
- tripleo_get_role_list
- tripleo_image_params_prepare
- tripleo_iptables
- tripleo_network_populate_environment
- tripleo_network_ports_populate_environment
- tripleo_os_net_config

6
releasenotes/notes/clean-iptables-967b9dda091a6535.yaml Normal file
View File

@ -0,0 +1,6 @@
---
other:
- |
Remove iptables management from tripleo-ansible, since we're now using
nftables by default. Therefore, tripleo_iptables isn't needed anymore,
nor is the switch in tripleo_firewall allowing to chose the engine.

343
tripleo_ansible/ansible_plugins/action/tripleo_iptables.py
View File

@ -1,343 +0,0 @@
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
DOCUMENTATION = """
---
module: tripleo_iptables
author:
- Kevin Carter (@cloudnull) <kecarter@redhat.com>
version_added: '2.8'
short_description: Runs iptables module commands in bulk.
notes: []
description:
- This module accepts iptables rules in list format and batches their
creation to speed up the creation of rules at scale.
options:
tripleo_rules:
description:
- List of rules to batch, rules have been constructed using the tripleo
spec and will be formatted to match the input values of the core
iptables module.
required: True
"""
EXAMPLES = """
- name: Run Package Installation
tripleo_iptables:
tripleo_rules:
- '1 rule special':
dport:
- 1234
- 4321
- '2 rule special also':
dport:
- 2345
- 5432
"""
from ansible.plugins.action import ActionBase
try:
from ansible_collections.ansible.utils.plugins.filter import ipaddr
except ImportError:
from ansible_collections.ansible.netcommon.plugins.filter import ipaddr
from ansible.utils.display import Display
DISPLAY = Display()
RULE_STATES = {
'enabled': 'present',
'present': 'present',
'absent': 'absent',
'disabled': 'absent'
}
IPTABLES_BIN = {
'ipv4': 'iptables',
'ipv6': 'ip6tables'
}
IPTABLES_CHAIN_CMD = """
if ! {cmd} --list "{chain}"; then
{cmd} -N "{chain}"
fi
"""
IPTABLES_CHAINS = ('INPUT', 'OUTPUT', 'FORWARD')
class ActionModule(ActionBase):
"""Batch iptables rules for faster rule creation."""
def _run_module(self, name, args, task_vars):
"""Runs an ansible module and collects return information.
:returns: boolean
"""
module_return = self._execute_module(
module_name=name,
module_args=args,
task_vars=task_vars
)
changed = module_return.get('changed')
if changed:
self.return_data['changed'] = True
self.return_data['stdout'] = module_return.get('stdout')
self.return_data['stderr'] = module_return.get('stderr')
self.return_data['msg'] = module_return.get('msg')
self.return_data['cmd'] = module_return.get('cmd')
self.return_data['rc'] = module_return.get('rc', 0)
fatal = self.return_data['failed'] = module_return.get(
'failed',
False
)
DISPLAY.vv('Module name: {}'.format(name))
DISPLAY.vv('Module args: {}'.format(args))
if fatal:
DISPLAY.error('Failed, module return: {}'.format(module_return))
DISPLAY.error('Failed, return data: {}'.format(self.return_data))
return fatal
@staticmethod
def _check_rule_data(rule_data, ipversion):
"""Check the rule data for compatible ip version information.
This function uses the ansible ipaddr filter to validate IP
information when a source or destination has been provided.
:returns: boolean
"""
kwargs_hash = {
'ipv6': {
'version': 6,
'query': 'ipv6',
'alias': 'ipv6'
},
'ipv4': {
'version': 4,
'query': 'ipv4',
'alias': 'ipv4'
}
}
for arg in ('source', 'destination'):
ip_data = rule_data.get(arg)
if ip_data:
DISPLAY.v(
'Checking "{}" against "{}" with ip version "{}"'.format(
arg,
ip_data,
ipversion
)
)
ip_data_check = ipaddr.ipaddr(
value=ip_data,
**kwargs_hash[ipversion]
)
DISPLAY.vvv('ipaddr filter return "{}"'.format(ip_data_check))
if not ip_data_check:
DISPLAY.v(
'Rule has a "{}" but the value "{}" is not applicable'
' to ip version "{}"'.format(
arg,
ip_data,
ipversion
)
)
DISPLAY.vvv('Rule data: "{}"'.format(rule_data))
return False
else:
return True
def queue_rules(self):
"""Add chains and rules to the required queues."""
for item in self._task.args['tripleo_rules']:
rule_data = dict()
rule = item['rule']
# Ensure we filter out the nftables dedicated keys
rule = {k: rule[k] for k in rule if not k.startswith('nft_')}
ipversions = rule.get('ipversion', ['ipv4', 'ipv6'])
if not isinstance(ipversions, list):
ipversions = [ipversions]
state = rule.get('extras', dict()).get('ensure', 'enabled')
rule_data['state'] = RULE_STATES[state]
action = rule_data['action'] = rule.get('action', 'insert')
if action == 'drop':
rule_data['action'] = 'append'
rule_data['jump'] = rule.get('jump', 'DROP')
elif action == 'accept':
rule_data['action'] == 'append'
rule_data['jump'] = rule.get('jump', 'ACCEPT')
else:
rule_data['jump'] = rule.get('jump', 'ACCEPT')
rule_data['chain'] = rule.get('chain', 'INPUT')
rule_data['protocol'] = rule.get('proto', 'tcp')
if 'table' in rule:
rule_data['table'] = rule['table']
if 'interface' in rule:
rule_data['in_interface'] = rule['interface']
if 'sport' in rule:
rule_data['source_port'] = rule['sport']
if 'source' in rule:
rule_data['source'] = rule['source']
if rule_data['protocol'] != 'gre':
rule_data['ctstate'] = rule.get('state', 'NEW')
if 'limit' in rule:
rule_data['limit'] = rule['limit']
if 'limit_burst' in rule:
rule_data['limit_burst'] = rule['limit_burst']
if 'destination' in rule:
rule_data['destination'] = rule['destination']
for ipversion in ipversions:
if not self._check_rule_data(rule_data=rule_data,
ipversion=ipversion):
continue
versioned_rule_data = rule_data.copy()
versioned_rule_data['ip_version'] = ipversion
if 'rule_name' in item:
versioned_rule_data['comment'] = '{} {}'.format(
item['rule_name'],
ipversion
)
if not versioned_rule_data['chain'] in IPTABLES_CHAINS:
chain = versioned_rule_data['chain']
DISPLAY.v(
'Queueing chain: {}, ip version {}'.format(
chain, ipversion
)
)
self.iptables_chains.append(
{
'ipv': ipversion,
'chain': chain,
'command': IPTABLES_CHAIN_CMD.format(
cmd=IPTABLES_BIN[ipversion],
chain=chain
)
}
)
# NOTE(cloudnull): while dport is the only supported option,
# port has been added as an ailias to ensure
# our legacy configs remain functional.
if 'dport' in rule or 'port' in rule:
dport_rule_data = versioned_rule_data.copy()
dports = rule.get('dport', 'port')
if 'port' in rule:
DISPLAY.v(
'The use of "port" is deprecated and will be'
' removed in a future release. Please convert'
' all uses of "port" to "dport".'
)
if not isinstance(dports, list):
dports = [dports]
for dport in dports:
if isinstance(dport, int):
dport_rule_data['destination_port'] = dport
else:
dport = dport.replace('-', ':')
dport_rule_data['destination_port'] = dport
DISPLAY.v(
'Queueing port rule: {},'
' ip version: {},'
' dport: {}'.format(
dport_rule_data.get('comment', None),
ipversion,
dport_rule_data['destination_port']
)
)
self.iptables_rules.append(dport_rule_data.copy())
else:
DISPLAY.v(
'Queueing service rule: {},'
' ip version: {}'.format(
versioned_rule_data.get('comment', None),
ipversion
)
)
self.iptables_rules.append(versioned_rule_data.copy())
def run(self, tmp=None, task_vars=None):
"""Run the iptables firewall rule batcher.
When rules are batched, the chains will be created before the rules.
"""
self.return_data = dict()
self.iptables_rules = list()
self.iptables_chains = list()
self.queue_rules()
for iptables_chain in self.iptables_chains:
DISPLAY.v(
'Managing chain: {} for version {}'.format(
iptables_chain['chain'],
iptables_chain['ipv']
)
)
return_data = self._low_level_execute_command(
iptables_chain['command'],
executable='/bin/bash'
)
if return_data['rc'] > 0:
DISPLAY.error(msg='Failed command: {}'.format(iptables_chain))
DISPLAY.error(msg='Failed chain data: {}'.format(return_data))
return return_data
for iptables_rule in self.iptables_rules:
DISPLAY.v(
'Managing rule: {},'
' dport: {},'
' ip version: {}'.format(
iptables_rule.get('comment', 'undefined'),
iptables_rule.get('destination_port', 'undefined'),
iptables_rule['ip_version'],
)
)
fatal = self._run_module(
name='ansible.builtin.iptables',
args=iptables_rule,
task_vars=task_vars
)
if fatal:
return self.return_data
return self.return_data

1
tripleo_ansible/roles/tripleo_firewall/defaults/main.yml
View File

@ -29,7 +29,6 @@
# dport: 22
# extras:
# ensure: 'absent'
tripleo_firewall_engine: 'iptables'
tripleo_firewall_rules: {}

21
tripleo_ansible/roles/tripleo_firewall/molecule/default/converge.yml
View File

@ -1,21 +0,0 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Converge
hosts: all
roles:
- role: "tripleo_firewall"

27
tripleo_ansible/roles/tripleo_firewall/molecule/default/molecule.yml
View File

@ -1,27 +0,0 @@
---
provisioner:
name: ansible
config_options:
defaults:
fact_caching: jsonfile
fact_caching_connection: /tmp/molecule/facts
inventory:
hosts:
all:
hosts:
instance:
ansible_host: localhost
log: true
env:
ANSIBLE_STDOUT_CALLBACK: yaml
ANSIBLE_ROLES_PATH: "${ANSIBLE_ROLES_PATH}:${HOME}/zuul-jobs/roles"
scenario:
name: default
test_sequence:
- prepare
- converge
- check
verifier:
name: testinfra

22
tripleo_ansible/roles/tripleo_firewall/molecule/default/prepare.yml
View File

@ -1,22 +0,0 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Prepare
hosts: all
roles:
- role: test_deps
- role: env_data

57
tripleo_ansible/roles/tripleo_firewall/molecule/firewall-add-complex/converge.yml
View File

@ -1,57 +0,0 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Converge
hosts: all
roles:
- role: "tripleo_firewall"
tripleo_firewall_rules:
'003 accept ftp from all':
proto: 'tcp'
dport: "21"
'003 accept custom from all':
proto: 'udp'
dport:
- "2121"
- 2122
- 2123
- 2200-2210
chain: OUTPUT
'003 accept custom tcp from all':
proto: 'tcp'
dport:
- 12121
- 12122
- 12123
- 12200-12210
chain: test-chain
'004 gre networks':
proto: 'gre'
'005 vrrp networks':
proto: 'vrrp'
'006 neutron-test':
dport: 2211
'006 ironic-inspector':
dport: 2212
'124 snmp':
dport: 2212
source: '192.168.24.1/24'
chain: test-chain2
'125 snmp':
dport: 2212
destination: '::'
chain: test-chain2

26
tripleo_ansible/roles/tripleo_firewall/molecule/firewall-add-complex/molecule.yml
View File

@ -1,26 +0,0 @@
---
provisioner:
name: ansible
config_options:
defaults:
fact_caching: jsonfile
fact_caching_connection: /tmp/molecule/facts
inventory:
hosts:
all:
hosts:
instance:
ansible_host: localhost
log: true
env:
ANSIBLE_STDOUT_CALLBACK: yaml
ANSIBLE_ROLES_PATH: "${ANSIBLE_ROLES_PATH}:${HOME}/zuul-jobs/roles"
scenario:
test_sequence:
- prepare
- converge
- check
verifier:
name: testinfra

22
tripleo_ansible/roles/tripleo_firewall/molecule/firewall-add-complex/prepare.yml
View File

@ -1,22 +0,0 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Prepare
hosts: all
roles:
- role: test_deps
- role: env_data

25
tripleo_ansible/roles/tripleo_firewall/molecule/firewall-add/converge.yml
View File

@ -1,25 +0,0 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Converge
hosts: all
roles:
- role: "tripleo_firewall"
tripleo_firewall_rules:
'003 accept ftp from all':
proto: 'tcp'
dport: 21

27
tripleo_ansible/roles/tripleo_firewall/molecule/firewall-add/molecule.yml
View File

@ -1,27 +0,0 @@
---
provisioner:
name: ansible
config_options:
defaults:
fact_caching: jsonfile
fact_caching_connection: /tmp/molecule/facts
inventory:
hosts:
all:
hosts:
instance:
ansible_host: localhost
log: true
env:
ANSIBLE_STDOUT_CALLBACK: yaml
ANSIBLE_ROLES_PATH: "${ANSIBLE_ROLES_PATH}:${HOME}/zuul-jobs/roles"
scenario:
name: firewall-add
test_sequence:
- prepare
- converge
- check
verifier:
name: testinfra

22
tripleo_ansible/roles/tripleo_firewall/molecule/firewall-add/prepare.yml
View File

@ -1,22 +0,0 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Prepare
hosts: all
roles:
- role: test_deps
- role: env_data

26
tripleo_ansible/roles/tripleo_firewall/molecule/firewall-masquerade/converge.yml
View File

@ -1,26 +0,0 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Converge
hosts: all
vars:
tripleo_masquerade_networks:
'10.10.0.0/24':
- '10.10.0.0/24'
- '10.10.1.0/24'
roles:
- role: "tripleo_firewall"

27
tripleo_ansible/roles/tripleo_firewall/molecule/firewall-masquerade/molecule.yml
View File

@ -1,27 +0,0 @@
---
provisioner:
name: ansible
config_options:
defaults:
fact_caching: jsonfile
fact_caching_connection: /tmp/molecule/facts
inventory:
hosts:
all:
hosts:
instance:
ansible_host: localhost
log: true
env:
ANSIBLE_STDOUT_CALLBACK: yaml
ANSIBLE_ROLES_PATH: "${ANSIBLE_ROLES_PATH}:${HOME}/zuul-jobs/roles"
scenario:
name: firewall-masquerade
test_sequence:
- prepare
- converge
- check
verifier:
name: testinfra

22
tripleo_ansible/roles/tripleo_firewall/molecule/firewall-masquerade/prepare.yml
View File

@ -1,22 +0,0 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Prepare
hosts: all
roles:
- role: test_deps
- role: env_data

73
tripleo_ansible/roles/tripleo_firewall/molecule/firewall-remove-complex/converge.yml
View File

@ -1,73 +0,0 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Converge
hosts: all
roles:
- role: "tripleo_firewall"
tripleo_firewall_rules:
'003 accept ftp from all':
proto: 'tcp'
dport: "21"
extras:
ensure: 'absent'
'003 accept custom from all':
proto: 'udp'
dport:
- "2121"
- 2122
- 2123
- 2200-2210
extras:
ensure: 'absent'
chain: OUTPUT
'003 accept custom tcp from all':
proto: 'tcp'
dport:
- 12121
- 12122
- 12123
- 12200-12210
extras:
ensure: 'absent'
chain: test-chain
'004 gre networks':
proto: 'gre'
extras:
ensure: 'absent'
'005 vrrp networks':
proto: 'vrrp'
extras:
ensure: 'absent'
'006 neutron-test':
dport: 2211
extras:
ensure: 'absent'
'006 ironic-inspector':
dport: 2212
extras:
ensure: 'absent'
'124 snmp':
dport: 2212
source: '192.168.24.1/24'
extras:
ensure: 'absent'
'125 snmp':
dport: 2212
destination: '::'
extras:
ensure: 'absent'

27
tripleo_ansible/roles/tripleo_firewall/molecule/firewall-remove-complex/molecule.yml
View File

@ -1,27 +0,0 @@
---
provisioner:
name: ansible
config_options:
defaults:
fact_caching: jsonfile
fact_caching_connection: /tmp/molecule/facts
inventory:
hosts:
all:
hosts:
instance:
ansible_host: localhost
log: true
env:
ANSIBLE_STDOUT_CALLBACK: yaml
ANSIBLE_ROLES_PATH: "${ANSIBLE_ROLES_PATH}:${HOME}/zuul-jobs/roles"
scenario:
name: firewall-remove-complex
test_sequence:
- prepare
- converge
- check
verifier:
name: testinfra

22
tripleo_ansible/roles/tripleo_firewall/molecule/firewall-remove-complex/prepare.yml
View File

@ -1,22 +0,0 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Prepare
hosts: all
roles:
- role: test_deps
- role: env_data

27
tripleo_ansible/roles/tripleo_firewall/molecule/firewall-remove/converge.yml
View File

@ -1,27 +0,0 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Converge
hosts: all
roles:
- role: "tripleo_firewall"
tripleo_firewall_rules:
'003 accept ftp from all':
proto: 'tcp'
dport: 21
extras:
ensure: 'absent'

26
tripleo_ansible/roles/tripleo_firewall/molecule/firewall-remove/molecule.yml
View File

@ -1,26 +0,0 @@
---
provisioner:
name: ansible
config_options:
defaults:
fact_caching: jsonfile
fact_caching_connection: /tmp/molecule/facts
inventory:
hosts:
all:
hosts:
instance:
ansible_host: localhost
log: true
env:
ANSIBLE_STDOUT_CALLBACK: yaml
ANSIBLE_ROLES_PATH: "${ANSIBLE_ROLES_PATH}:${HOME}/zuul-jobs/roles"
scenario:
test_sequence:
- prepare
- converge
- check
verifier:
name: testinfra

22
tripleo_ansible/roles/tripleo_firewall/molecule/firewall-remove/prepare.yml
View File

@ -1,22 +0,0 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Prepare
hosts: all
roles:
- role: test_deps
- role: env_data

98
tripleo_ansible/roles/tripleo_firewall/tasks/iptables.yaml
View File

@ -1,98 +0,0 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
# "tripleo_firewall" will search for and load any operating system variable file
- name: Firewall add block
become: true
block:
- name: Ensure firewall is installed
package:
name: "{{ tripleo_firewall_packages }}"
state: present
- name: Create empty ruleset in /etc/sysconfig/iptables and /etc/sysconfig/ip6tables
become: true
ignore_errors: "{{ (((ansible_facts['os_family'] | lower) ~ '-' ~ ansible_facts['distribution_major_version']) == 'redhat-7') | bool }}"
copy:
dest: "{{ item }}"
content: "# empty ruleset created by deployed-server bootstrap"
loop:
- /etc/sysconfig/iptables
- /etc/sysconfig/ip6tables
- name: Ensure firewall is enabled/started
systemd:
name: iptables
state: started
enabled: true
- name: Manage firewall rules
tripleo_iptables:
tripleo_rules: "{{ firewall_rules_sorted }}"
- name: Firewall save block
become: true
block:
- name: Save firewall rules ipv4
command: /usr/libexec/iptables/iptables.init save
- name: Save firewall rules ipv6
command: /usr/libexec/iptables/ip6tables.init save
- name: Enable iptables service (and do a daemon-reload systemd)
systemd:
daemon_reload: true
enabled: true
name: "{{ item }}"
state: started
loop:
- iptables.service
- ip6tables.service
- name: Enable tripleo-iptables service (and do a daemon-reload systemd)
systemd:
daemon_reload: true
enabled: true
name: "{{ item }}"
state: started
loop:
- tripleo-iptables.service
- tripleo-ip6tables.service
failed_when: false
- name: Stop and disable firewalld
systemd:
enabled: false
name: "firewalld.service"
state: stopped
failed_when: false
- name: Find non-persistent rules
command: egrep -l 'comment.*(neutron-|ironic-inspector)' /etc/sysconfig/iptables* /etc/sysconfig/ip6tables*
failed_when: false
changed_when: false
register: neutron_rules
- name: Remove non-persistent line(s)
lineinfile:
path: "{{ item }}"
state: absent
regexp: '^((?!.*comment)(?=.*(ironic-inspector|neutron-)))'
when:
- not ansible_check_mode|bool
- item.find('v=' ~ '^/') == -1
loop: "{{ neutron_rules.stdout_lines }}"

7
tripleo_ansible/roles/tripleo_firewall/tasks/main.yml
View File

@ -87,14 +87,7 @@
list
}}"
- name: Manage rules via iptables
when:
- tripleo_firewall_engine == 'iptables'
include_tasks: iptables.yaml
- name: Manage rules via nftables
when:
- tripleo_firewall_engine == 'nftables'
vars:
tripleo_nftables_rules: "{{ firewall_rules_sorted | sort(attribute='rule_name') |list }}"
include_role:

2
tripleo_ansible/roles/tripleo_firewall/vars/redhat.yml
View File

@ -20,4 +20,4 @@
# intended to be modified.
tripleo_firewall_packages:
- iptables-services
- nftables