首頁 探索 說明
註冊 登入
shixiong
/
okd
1
0
複刻 0
Files 問題管理 0 合併請求 0 Wiki
目錄樹: 991b232e34
分支列表 標籤列表
okd
/
roles
/
os_firewall
/
tasks
/
firewall
/
firewalld.yml

firewalld.yml 1.9 KB
文件歷史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081 
  1. ---
    2. 

  2. - name: Install firewalld packages
    3. 

  3.   yum:
    4. 

  4.     name: firewalld
    5. 

  5.     state: present
    6. 

  6.   register: install_result
    7. 

  7. 

  8. - name: Check if iptables-services is installed
    9. 

  9.   command: rpm -q iptables-services
    10. 

  10.   register: pkg_check
    11. 

  11.   failed_when: pkg_check.rc > 1
    12. 

  12.   changed_when: no
    13. 

  13. 

  14. - name: Ensure iptables services are not enabled
    15. 

  15.   service:
    16. 

  16.     name: "{{ item }}"
    17. 

  17.     state: stopped
    18. 

  18.     enabled: no
    19. 

  19.   with_items:
    20. 

  20.   - iptables
    21. 

  21.   - ip6tables
    22. 

  22.   when: pkg_check.rc == 0
    23. 

  23. 

  24. - name: Reload systemd units
    25. 

  25.   command: systemctl daemon-reload
    26. 

  26.   when: install_result | changed
    27. 

  27. 

  28. - name: Start and enable firewalld service
    29. 

  29.   service:
    30. 

  30.     name: firewalld
    31. 

  31.     state: started
    32. 

  32.     enabled: yes
    33. 

  33.   register: result
    34. 

  34. 

  35. - name: need to pause here, otherwise the firewalld service starting can sometimes cause ssh to fail
    36. 

  36.   pause: seconds=10
    37. 

  37.   when: result | changed
    38. 

  38. 

  39. - name: Mask iptables services
    40. 

  40.   command: systemctl mask "{{ item }}"
    41. 

  41.   register: result
    42. 

  42.   changed_when: "'iptables' in result.stdout"
    43. 

  43.   with_items:
    44. 

  44.   - iptables
    45. 

  45.   - ip6tables
    46. 

  46.   when: pkg_check.rc == 0
    47. 

  47.   ignore_errors: yes
    48. 

  48. 

  49. # TODO: Ansible 1.9 will eliminate the need for separate firewalld tasks for
    50. 

  50. # enabling rules and making them permanent with the immediate flag
    51. 

  51. - name: Add firewalld allow rules
    52. 

  52.   firewalld:
    53. 

  53.     port: "{{ item.port }}"
    54. 

  54.     permanent: false
    55. 

  55.     state: enabled
    56. 

  56.   with_items: os_firewall_allow
    57. 

  57.   when: os_firewall_allow is defined
    58. 

  58. 

  59. - name: Persist firewalld allow rules
    60. 

  60.   firewalld:
    61. 

  61.     port: "{{ item.port }}"
    62. 

  62.     permanent: true
    63. 

  63.     state: enabled
    64. 

  64.   with_items: os_firewall_allow
    65. 

  65.   when: os_firewall_allow is defined
    66. 

  66. 

  67. - name: Remove firewalld allow rules
    68. 

  68.   firewalld:
    69. 

  69.     port: "{{ item.port }}"
    70. 

  70.     permanent: false
    71. 

  71.     state: disabled
    72. 

  72.   with_items: os_firewall_deny
    73. 

  73.   when: os_firewall_deny is defined
    74. 

  74. 

  75. - name: Persist removal of firewalld allow rules
    76. 

  76.   firewalld:
    77. 

  77.     port: "{{ item.port }}"
    78. 

  78.     permanent: true
    79. 

  79.     state: disabled
    80. 

  80.   with_items: os_firewall_deny
    81. 

  81.   when: os_firewall_deny is defined
    82.