Home Explore Help
Register Sign In
shixiong
/
okd
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 7e0c346c84
Branches Tags
okd
/
roles
/
os_firewall
/
tasks
/
firewall
/
firewalld.yml

firewalld.yml 2.2 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788 
  1. ---
    2. 

  2. - name: Install firewalld packages
    3. 

  3.   package: name=firewalld state=present
    4. 

  4.   when: not openshift.common.is_containerized | bool
    5. 

  5.   register: install_result
    6. 

  6. 

  7. - name: Check if iptables-services is installed
    8. 

  8.   command: rpm -q iptables-services
    9. 

  9.   register: pkg_check
    10. 

  10.   failed_when: pkg_check.rc > 1
    11. 

  11.   changed_when: no
    12. 

  12. 

  13. - name: Ensure iptables services are not enabled
    14. 

  14.   service:
    15. 

  15.     name: "{{ item }}"
    16. 

  16.     state: stopped
    17. 

  17.     enabled: no
    18. 

  18.   with_items:
    19. 

  19.   - iptables
    20. 

  20.   - ip6tables
    21. 

  21.   when: pkg_check.rc == 0
    22. 

  22. 

  23. - name: Reload systemd units
    24. 

  24.   command: systemctl daemon-reload
    25. 

  25.   when: install_result | changed
    26. 

  26. 

  27. - name: Determine if firewalld service masked
    28. 

  28.   command: >
    29. 

  29.     systemctl is-enabled firewalld
    30. 

  30.   register: os_firewall_firewalld_masked_output
    31. 

  31.   changed_when: false
    32. 

  32.   failed_when: false
    33. 

  33. 

  34. - name: Unmask firewalld service
    35. 

  35.   command: >
    36. 

  36.     systemctl unmask firewalld
    37. 

  37.   when: os_firewall_firewalld_masked_output.stdout == "masked"
    38. 

  38. 

  39. - name: Start and enable firewalld service
    40. 

  40.   service:
    41. 

  41.     name: firewalld
    42. 

  42.     state: started
    43. 

  43.     enabled: yes
    44. 

  44.   register: result
    45. 

  45. 

  46. - name: need to pause here, otherwise the firewalld service starting can sometimes cause ssh to fail
    47. 

  47.   pause: seconds=10
    48. 

  48.   when: result | changed
    49. 

  49. 

  50. - name: Mask iptables services
    51. 

  51.   command: systemctl mask "{{ item }}"
    52. 

  52.   register: result
    53. 

  53.   changed_when: "'iptables' in result.stdout"
    54. 

  54.   with_items:
    55. 

  55.   - iptables
    56. 

  56.   - ip6tables
    57. 

  57.   when: pkg_check.rc == 0
    58. 

  58.   ignore_errors: yes
    59. 

  59. 

  60. # TODO: Ansible 1.9 will eliminate the need for separate firewalld tasks for
    61. 

  61. # enabling rules and making them permanent with the immediate flag
    62. 

  62. - name: Add firewalld allow rules
    63. 

  63.   firewalld:
    64. 

  64.     port: "{{ item.port }}"
    65. 

  65.     permanent: false
    66. 

  66.     state: enabled
    67. 

  67.   with_items: "{{ os_firewall_allow }}"
    68. 

  68. 

  69. - name: Persist firewalld allow rules
    70. 

  70.   firewalld:
    71. 

  71.     port: "{{ item.port }}"
    72. 

  72.     permanent: true
    73. 

  73.     state: enabled
    74. 

  74.   with_items: "{{ os_firewall_allow }}"
    75. 

  75. 

  76. - name: Remove firewalld allow rules
    77. 

  77.   firewalld:
    78. 

  78.     port: "{{ item.port }}"
    79. 

  79.     permanent: false
    80. 

  80.     state: disabled
    81. 

  81.   with_items: "{{ os_firewall_deny }}"
    82. 

  82. 

  83. - name: Persist removal of firewalld allow rules
    84. 

  84.   firewalld:
    85. 

  85.     port: "{{ item.port }}"
    86. 

  86.     permanent: true
    87. 

  87.     state: disabled
    88. 

  88.   with_items: "{{ os_firewall_deny }}"
    89.