Merge pull request #5084 from mtnbikenc/refactor-os_firewall

Additional os_firewall role refactoring

playbooks/common/openshift-cluster/config.yml

@@ -22,6 +22,10 @@
       - docker_image_availability
       - docker_storage
 
+- include: initialize_firewall.yml
+  tags:
+  - always
+
 - hosts: localhost
   tasks:
   - fail:

playbooks/common/openshift-cluster/std_include.yml

@@ -18,7 +18,3 @@
 - include: initialize_openshift_version.yml
   tags:
   - always
-
-- include: initialize_firewall.yml
-  tags:
-  - always

roles/os_firewall/meta/main.yml

@@ -1,16 +0,0 @@
----
-galaxy_info:
-  author: Jason DeTiberus
-  description: os_firewall
-  company: Red Hat, Inc.
-  license: Apache License, Version 2.0
-  min_ansible_version: 2.2
-  platforms:
-    - name: EL
-      versions:
-        - 7
-  categories:
-    - system
-allow_duplicates: yes
-dependencies:
-  - role: openshift_facts

roles/os_firewall/tasks/firewall/firewalld.yml

@@ -1,4 +1,9 @@
 ---
+- name: Fail - Firewalld is not supported on Atomic Host
+  fail:
+    msg: "Firewalld is not supported on Atomic Host"
+  when: r_os_firewall_is_atomic | bool
+
 - name: Install firewalld packages
   package:
     name: firewalld
@@ -31,7 +36,8 @@
   register: result
 
 - name: need to pause here, otherwise the firewalld service starting can sometimes cause ssh to fail
-  pause: seconds=10
+  pause:
+    seconds: 10
   when: result | changed
 
 - name: Restart polkitd

roles/os_firewall/tasks/firewall/iptables.yml

@@ -15,11 +15,13 @@
   when: task_result | changed
 
 - name: Install iptables packages
-  package: name={{ item }} state=present
+  package:
+    name: "{{ item }}"
+    state: present
   with_items:
     - iptables
     - iptables-services
-  when: not openshift.common.is_atomic | bool
+  when: not r_os_firewall_is_atomic | bool
 
 - name: Start and enable iptables service
   systemd:
@@ -34,5 +36,6 @@
   with_items: "{{ ansible_play_hosts }}"
 
 - name: need to pause here, otherwise the iptables service starting can sometimes cause ssh to fail
-  pause: seconds=10
+  pause:
+    seconds: 10
   when: result | changed

roles/os_firewall/tasks/main.yml

@@ -1,12 +1,19 @@
 ---
-- name: Assert - Do not use firewalld on Atomic Host
-  assert:
-    that: not os_firewall_use_firewalld | bool
-    msg: "Firewalld is not supported on Atomic Host"
-  when: openshift.common.is_atomic | bool
+- name: Detecting Atomic Host Operating System
+  stat:
+    path: /run/ostree-booted
+  register: r_os_firewall_ostree_booted
 
-- include: firewall/firewalld.yml
-  when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
+- name: Set fact r_os_firewall_is_atomic
+  set_fact:
+    r_os_firewall_is_atomic: "{{ r_os_firewall_ostree_booted.stat.exists }}"
 
-- include: firewall/iptables.yml
-  when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool
+- include: firewalld.yml
+  when:
+  - os_firewall_enabled | bool
+  - os_firewall_use_firewalld | bool
+
+- include: iptables.yml
+  when:
+  - os_firewall_enabled | bool
+  - not os_firewall_use_firewalld | bool