Enable firewalld by default

roles/docker/meta/main.yml

@@ -11,4 +11,3 @@ galaxy_info:
     - 7
 dependencies:
 - role: os_firewall
-  os_firewall_use_firewalld: False

roles/docker/tasks/main.yml

@@ -43,16 +43,18 @@
   package: name=docker{{ '-' + docker_version if docker_version is defined else '' }} state=present
   when: not openshift.common.is_atomic | bool
 
-- name: Ensure docker.service.d directory exists
-  file:
-    path: "{{ docker_systemd_dir }}"
-    state: directory
-
-# Extend the default Docker service unit file
-- name: Configure Docker service unit file
-  template:
-    dest: "{{ docker_systemd_dir }}/custom.conf"
-    src: custom.conf.j2
+- block:
+  # Extend the default Docker service unit file when using iptables-services
+  - name: Ensure docker.service.d directory exists
+    file:
+      path: "{{ docker_systemd_dir }}"
+      state: directory
+
+  - name: Configure Docker service unit file
+    template:
+      dest: "{{ docker_systemd_dir }}/custom.conf"
+      src: custom.conf.j2
+  when: not os_firewall_use_firewalld | default(True) | bool
 
 - include: udev_workaround.yml
   when: docker_udev_workaround | default(False) | bool

roles/os_firewall/README.md

@@ -4,6 +4,9 @@ OS Firewall
 OS Firewall manages firewalld and iptables firewall settings for a minimal use
 case (Adding/Removing rules based on protocol and port number).
 
+Note: firewalld is not supported on Atomic Host
+https://bugzilla.redhat.com/show_bug.cgi?id=1403331
+
 Requirements
 ------------
 
@@ -14,7 +17,7 @@ Role Variables
 
 | Name                      | Default |                                        |
 |---------------------------|---------|----------------------------------------|
-| os_firewall_use_firewalld | False   | If false, use iptables                 |
+| os_firewall_use_firewalld | True    | If false, use iptables                 |
 | os_firewall_allow         | []      | List of service,port mappings to allow |
 | os_firewall_deny          | []      | List of service, port mappings to deny |
 
@@ -31,6 +34,7 @@ Use iptables and open tcp ports 80 and 443:
 ---
 - hosts: servers
   vars:
+    os_firewall_use_firewalld: false
     os_firewall_allow:
     - service: httpd
       port: 80/tcp
@@ -45,7 +49,6 @@ Use firewalld and open tcp port 443 and close previously open tcp port 80:
 ---
 - hosts: servers
   vars:
-    os_firewall_use_firewalld: true
     os_firewall_allow:
     - service: https
       port: 443/tcp

roles/os_firewall/defaults/main.yml

@@ -1,9 +1,7 @@
 ---
 os_firewall_enabled: True
-# TODO: Upstream kubernetes only supports iptables currently
-# TODO: it might be possible to still use firewalld if we wire up the created
-# chains with the public zone (or the zone associated with the correct
-# interfaces)
-os_firewall_use_firewalld: False
+# firewalld is not supported on Atomic Host
+# https://bugzilla.redhat.com/show_bug.cgi?id=1403331
+os_firewall_use_firewalld: "{{ False if openshift.common.is_atomic | bool else True }}"
 os_firewall_allow: []
 os_firewall_deny: []

roles/os_firewall/tasks/main.yml

@@ -1,4 +1,10 @@
 ---
+- name: Assert - Do not use firewalld on Atomic Host
+  assert:
+    that: not os_firewall_use_firewalld | bool
+    msg: "Firewalld is not supported on Atomic Host"
+  when: openshift.common.is_atomic | bool
+
 - include: firewall/firewalld.yml
   when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool