114 lines
3.4 KiB
YAML
114 lines
3.4 KiB
YAML
---
|
|
# Copyright 2019 Red Hat, Inc.
|
|
# All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
|
|
# "tripleo-firewall" will search for and load any operating system variable file
|
|
- name: Gather variables for each operating system
|
|
include_vars: "{{ item }}"
|
|
with_first_found:
|
|
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml"
|
|
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
|
|
- "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
|
|
- "{{ ansible_distribution | lower }}.yml"
|
|
- "{{ ansible_os_family | lower }}-{{ ansible_distribution_version.split('.')[0] }}.yml"
|
|
- "{{ ansible_os_family | lower }}.yml"
|
|
tags:
|
|
- always
|
|
|
|
- name: Set rule fact
|
|
set_fact:
|
|
firewall_rules_sorted: "{{
|
|
tripleo_firewall_default_rules |
|
|
combine(tripleo_firewall_rules) |
|
|
dict2items(key_name='rule_name', value_name='rule') |
|
|
sort(attribute='rule_name') |
|
|
reverse |
|
|
list
|
|
}}"
|
|
|
|
- name: Firewall add block
|
|
become: true
|
|
block:
|
|
- name: Ensure firewall is installed
|
|
package:
|
|
name: "{{ tripleo_firewall_packages }}"
|
|
state: present
|
|
|
|
- name: Ensure firewall is enabled
|
|
systemd:
|
|
name: iptables
|
|
state: started
|
|
enabled: true
|
|
|
|
- name: Manage firewall rules
|
|
tripleo_iptables:
|
|
tripleo_rules: "{{ firewall_rules_sorted }}"
|
|
register: _iptables_result
|
|
|
|
- name: Firewall save block
|
|
when:
|
|
- _iptables_result.changed
|
|
become: true
|
|
block:
|
|
- name: Save firewall rules ipv4
|
|
command: /usr/libexec/iptables/iptables.init save
|
|
|
|
- name: Save firewall rules ipv6
|
|
command: /usr/libexec/iptables/ip6tables.init save
|
|
|
|
- name: Enable iptables service (and do a daemon-reload systemd)
|
|
systemd:
|
|
daemon_reload: true
|
|
enabled: true
|
|
name: "{{ item }}"
|
|
state: started
|
|
loop:
|
|
- iptables.service
|
|
- ip6tables.service
|
|
|
|
- name: Enable tripleo-iptables service (and do a daemon-reload systemd)
|
|
systemd:
|
|
daemon_reload: true
|
|
enabled: true
|
|
name: "{{ item }}"
|
|
state: started
|
|
loop:
|
|
- tripleo-iptables.service
|
|
- tripleo-ip6tables.service
|
|
failed_when: false
|
|
|
|
- name: Stop and disable firewalld
|
|
systemd:
|
|
enabled: false
|
|
name: "firewalld.service"
|
|
state: stopped
|
|
failed_when: false
|
|
|
|
- name: Find non-persistent rules
|
|
command: egrep -l 'comment.*(neutron-|ironic-inspector)' /etc/sysconfig/iptables* /etc/sysconfig/ip6tables*
|
|
failed_when: false
|
|
changed_when: false
|
|
register: neutron_rules
|
|
|
|
- name: Remove non-persistent line(s)
|
|
lineinfile:
|
|
path: "{{ item }}"
|
|
state: absent
|
|
regexp: '^((?!.*comment)(?=.*(ironic-inspector|neutron-)))'
|
|
when:
|
|
- item.find('v=' ~ '^/') == -1
|
|
loop: "{{ neutron_rules.stdout_lines }}"
|