Home Explore Help
Register Sign In
shixiong
/
okd
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: af009a7a51
Branches Tags
okd
/
roles
/
os_firewall
/
tasks
/
firewall
/
firewalld.yml

firewalld.yml 2.1 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889 
  1. ---
    2. 

  2. - name: Install firewalld packages
    3. 

  3.   yum:
    4. 

  4.     name: firewalld
    5. 

  5.     state: present
    6. 

  6.   when: ansible_pkg_mgr == "yum"
    7. 

  7.   register: install_result
    8. 

  8. 

  9. - name: Install firewalld packages
    10. 

  10.   dnf:
    11. 

  11.     name: firewalld
    12. 

  12.     state: present
    13. 

  13.   when: ansible_pkg_mgr == "dnf"
    14. 

  14.   register: install_result
    15. 

  15. 

  16. - name: Check if iptables-services is installed
    17. 

  17.   command: rpm -q iptables-services
    18. 

  18.   register: pkg_check
    19. 

  19.   failed_when: pkg_check.rc > 1
    20. 

  20.   changed_when: no
    21. 

  21. 

  22. - name: Ensure iptables services are not enabled
    23. 

  23.   service:
    24. 

  24.     name: "{{ item }}"
    25. 

  25.     state: stopped
    26. 

  26.     enabled: no
    27. 

  27.   with_items:
    28. 

  28.   - iptables
    29. 

  29.   - ip6tables
    30. 

  30.   when: pkg_check.rc == 0
    31. 

  31. 

  32. - name: Reload systemd units
    33. 

  33.   command: systemctl daemon-reload
    34. 

  34.   when: install_result | changed
    35. 

  35. 

  36. - name: Start and enable firewalld service
    37. 

  37.   service:
    38. 

  38.     name: firewalld
    39. 

  39.     state: started
    40. 

  40.     enabled: yes
    41. 

  41.   register: result
    42. 

  42. 

  43. - name: need to pause here, otherwise the firewalld service starting can sometimes cause ssh to fail
    44. 

  44.   pause: seconds=10
    45. 

  45.   when: result | changed
    46. 

  46. 

  47. - name: Mask iptables services
    48. 

  48.   command: systemctl mask "{{ item }}"
    49. 

  49.   register: result
    50. 

  50.   changed_when: "'iptables' in result.stdout"
    51. 

  51.   with_items:
    52. 

  52.   - iptables
    53. 

  53.   - ip6tables
    54. 

  54.   when: pkg_check.rc == 0
    55. 

  55.   ignore_errors: yes
    56. 

  56. 

  57. # TODO: Ansible 1.9 will eliminate the need for separate firewalld tasks for
    58. 

  58. # enabling rules and making them permanent with the immediate flag
    59. 

  59. - name: Add firewalld allow rules
    60. 

  60.   firewalld:
    61. 

  61.     port: "{{ item.port }}"
    62. 

  62.     permanent: false
    63. 

  63.     state: enabled
    64. 

  64.   with_items: os_firewall_allow
    65. 

  65.   when: os_firewall_allow is defined
    66. 

  66. 

  67. - name: Persist firewalld allow rules
    68. 

  68.   firewalld:
    69. 

  69.     port: "{{ item.port }}"
    70. 

  70.     permanent: true
    71. 

  71.     state: enabled
    72. 

  72.   with_items: os_firewall_allow
    73. 

  73.   when: os_firewall_allow is defined
    74. 

  74. 

  75. - name: Remove firewalld allow rules
    76. 

  76.   firewalld:
    77. 

  77.     port: "{{ item.port }}"
    78. 

  78.     permanent: false
    79. 

  79.     state: disabled
    80. 

  80.   with_items: os_firewall_deny
    81. 

  81.   when: os_firewall_deny is defined
    82. 

  82. 

  83. - name: Persist removal of firewalld allow rules
    84. 

  84.   firewalld:
    85. 

  85.     port: "{{ item.port }}"
    86. 

  86.     permanent: true
    87. 

  87.     state: disabled
    88. 

  88.   with_items: os_firewall_deny
    89. 

  89.   when: os_firewall_deny is defined
    90.