Home Explore Help
Register Sign In
shixiong
/
okd
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 4a2e65e550
Branches Tags
okd
/
roles
/
os_firewall
/
tasks
/
firewall
/
firewalld.yml

firewalld.yml 2.0 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980 
  1. ---
    2. 

  2. - name: Install firewalld packages
    3. 

  3.   action: "{{ ansible_pkg_mgr }} name=firewalld state=present"
    4. 

  4.   when: not openshift.common.is_containerized | bool
    5. 

  5.   register: install_result
    6. 

  6. 

  7. - name: Check if iptables-services is installed
    8. 

  8.   command: rpm -q iptables-services
    9. 

  9.   register: pkg_check
    10. 

  10.   failed_when: pkg_check.rc > 1
    11. 

  11.   changed_when: no
    12. 

  12. 

  13. - name: Ensure iptables services are not enabled
    14. 

  14.   service:
    15. 

  15.     name: "{{ item }}"
    16. 

  16.     state: stopped
    17. 

  17.     enabled: no
    18. 

  18.   with_items:
    19. 

  19.   - iptables
    20. 

  20.   - ip6tables
    21. 

  21.   when: pkg_check.rc == 0
    22. 

  22. 

  23. - name: Reload systemd units
    24. 

  24.   command: systemctl daemon-reload
    25. 

  25.   when: install_result | changed
    26. 

  26. 

  27. - name: Start and enable firewalld service
    28. 

  28.   service:
    29. 

  29.     name: firewalld
    30. 

  30.     state: started
    31. 

  31.     enabled: yes
    32. 

  32.   register: result
    33. 

  33. 

  34. - name: need to pause here, otherwise the firewalld service starting can sometimes cause ssh to fail
    35. 

  35.   pause: seconds=10
    36. 

  36.   when: result | changed
    37. 

  37. 

  38. - name: Mask iptables services
    39. 

  39.   command: systemctl mask "{{ item }}"
    40. 

  40.   register: result
    41. 

  41.   changed_when: "'iptables' in result.stdout"
    42. 

  42.   with_items:
    43. 

  43.   - iptables
    44. 

  44.   - ip6tables
    45. 

  45.   when: pkg_check.rc == 0
    46. 

  46.   ignore_errors: yes
    47. 

  47. 

  48. # TODO: Ansible 1.9 will eliminate the need for separate firewalld tasks for
    49. 

  49. # enabling rules and making them permanent with the immediate flag
    50. 

  50. - name: Add firewalld allow rules
    51. 

  51.   firewalld:
    52. 

  52.     port: "{{ item.port }}"
    53. 

  53.     permanent: false
    54. 

  54.     state: enabled
    55. 

  55.   with_items: os_firewall_allow
    56. 

  56.   when: os_firewall_allow is defined
    57. 

  57. 

  58. - name: Persist firewalld allow rules
    59. 

  59.   firewalld:
    60. 

  60.     port: "{{ item.port }}"
    61. 

  61.     permanent: true
    62. 

  62.     state: enabled
    63. 

  63.   with_items: os_firewall_allow
    64. 

  64.   when: os_firewall_allow is defined
    65. 

  65. 

  66. - name: Remove firewalld allow rules
    67. 

  67.   firewalld:
    68. 

  68.     port: "{{ item.port }}"
    69. 

  69.     permanent: false
    70. 

  70.     state: disabled
    71. 

  71.   with_items: os_firewall_deny
    72. 

  72.   when: os_firewall_deny is defined
    73. 

  73. 

  74. - name: Persist removal of firewalld allow rules
    75. 

  75.   firewalld:
    76. 

  76.     port: "{{ item.port }}"
    77. 

  77.     permanent: true
    78. 

  78.     state: disabled
    79. 

  79.   with_items: os_firewall_deny
    80. 

  80.   when: os_firewall_deny is defined
    81.