common: ability to enable/disable fw configuration

Prior to this patch if you were running on a Red Hat system,
ceph-ansible would try to configure firewalld for you without the
operators's consent.
Now you can enable or disable the fw configuration by setting
configure_firewall to either true or false.

Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1589146
Signed-off-by: Sébastien Han <seb@redhat.com>

diff --git a/group_vars/all.yml.sample b/group_vars/all.yml.sample
index 54f74328d745ac88fc47a0b8257eda4e63abdaf1..f40cfcb06d416077ab53f43e5c11d90e03d643d6 100644 (file)
--- a/group_vars/all.yml.sample
+++ b/group_vars/all.yml.sample
@@ -62,6 +62,11 @@ dummy:
 # want to set this to False to skip those checks.
 #check_firewall: False
 
+# If configure_firewall is true, then ansible will try to configure the
+# appropriate firewalling rules so that Ceph daemons can communicate
+# with each others.
+#configure_firewall: False
+
 # Open ports on corresponding nodes if firewall is installed on it
 #ceph_mon_firewall_zone: public
 #ceph_mgr_firewall_zone: public
@@ -73,6 +78,7 @@ dummy:
 #ceph_rbdmirror_firewall_zone: public
 #ceph_iscsi_firewall_zone: public
 
+
 ############
 # PACKAGES #
 ############

diff --git a/group_vars/rhcs.yml.sample b/group_vars/rhcs.yml.sample
index 6c3b07aafb04f850cbad6eb67958e8d5e4f3f6bb..0d851835060d78ecfe51f3336dabf0eae9de6ab2 100644 (file)
--- a/group_vars/rhcs.yml.sample
+++ b/group_vars/rhcs.yml.sample
@@ -62,6 +62,11 @@ fetch_directory: ~/ceph-ansible-keys
 # want to set this to False to skip those checks.
 #check_firewall: False
 
+# If configure_firewall is true, then ansible will try to configure the
+# appropriate firewalling rules so that Ceph daemons can communicate
+# with each others.
+#configure_firewall: False
+
 # Open ports on corresponding nodes if firewall is installed on it
 #ceph_mon_firewall_zone: public
 #ceph_mgr_firewall_zone: public
@@ -73,6 +78,7 @@ fetch_directory: ~/ceph-ansible-keys
 #ceph_rbdmirror_firewall_zone: public
 #ceph_iscsi_firewall_zone: public
 
+
 ############
 # PACKAGES #
 ############

diff --git a/roles/ceph-common/tasks/main.yml b/roles/ceph-common/tasks/main.yml
index e3e543fa423c84e45d5c4c136fb2aaa778ac2ad5..c387a05fe83093adc5af4d8af9f21538b347783d 100644 (file)
--- a/roles/ceph-common/tasks/main.yml
+++ b/roles/ceph-common/tasks/main.yml
@@ -79,6 +79,7 @@
 - name: include misc/configure_firewall_rpm.yml
   include: misc/configure_firewall_rpm.yml
   when:
+    - configure_firewall
     - ansible_os_family in ['RedHat', 'Suse']
   # Hard code this so we will skip the entire file instead of individual tasks (Default isn't Consistent)
   static: False

diff --git a/roles/ceph-defaults/defaults/main.yml b/roles/ceph-defaults/defaults/main.yml
index 3dd454e42739249a6bb1125d95bd3924d979ff33..dba551e6f12d5d981e034b4e73b3eb3bf5232a36 100644 (file)
--- a/roles/ceph-defaults/defaults/main.yml
+++ b/roles/ceph-defaults/defaults/main.yml
@@ -54,6 +54,11 @@ mgr_group_name: mgrs
 # want to set this to False to skip those checks.
 check_firewall: False
 
+# If configure_firewall is true, then ansible will try to configure the
+# appropriate firewalling rules so that Ceph daemons can communicate
+# with each others.
+configure_firewall: False
+
 # Open ports on corresponding nodes if firewall is installed on it
 ceph_mon_firewall_zone: public
 ceph_mgr_firewall_zone: public
@@ -65,6 +70,7 @@ ceph_restapi_firewall_zone: public
 ceph_rbdmirror_firewall_zone: public
 ceph_iscsi_firewall_zone: public
 
+
 ############
 # PACKAGES #
 ############