common: remove check_firewall code

Check firewall isn't working as expected and might break deployments.
This part of the code will be reworked soon.

Let's focus on configure_firewall code for now.

Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1541840
Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>

diff --git a/group_vars/all.yml.sample b/group_vars/all.yml.sample
index 42e6fa8146e8de1e6dbc27fbd194c8ddcf7d8a81..5c5a7fd6625ed77b32362d02a48af2ea592967cc 100644 (file)
--- a/group_vars/all.yml.sample
+++ b/group_vars/all.yml.sample
@@ -56,12 +56,6 @@ dummy:
 #iscsi_gw_group_name: iscsigws
 #mgr_group_name: mgrs
 
-# If check_firewall is true, then ansible will try to determine if the
-# Ceph ports are blocked by a firewall. If the machine running ansible
-# cannot reach the Ceph ports for some other reason, you may need or
-# want to set this to False to skip those checks.
-#check_firewall: False
-
 # If configure_firewall is true, then ansible will try to configure the
 # appropriate firewalling rules so that Ceph daemons can communicate
 # with each others.

diff --git a/group_vars/rhcs.yml.sample b/group_vars/rhcs.yml.sample
index b260831dcc39a0053a11bbf6e643261b7f6291a5..919890db4d695fb53c5d9bc89dcacb515acfc598 100644 (file)
--- a/group_vars/rhcs.yml.sample
+++ b/group_vars/rhcs.yml.sample
@@ -56,12 +56,6 @@ fetch_directory: ~/ceph-ansible-keys
 #iscsi_gw_group_name: iscsigws
 #mgr_group_name: mgrs
 
-# If check_firewall is true, then ansible will try to determine if the
-# Ceph ports are blocked by a firewall. If the machine running ansible
-# cannot reach the Ceph ports for some other reason, you may need or
-# want to set this to False to skip those checks.
-#check_firewall: False
-
 # If configure_firewall is true, then ansible will try to configure the
 # appropriate firewalling rules so that Ceph daemons can communicate
 # with each others.

diff --git a/roles/ceph-common/tasks/checks/check_firewall.yml b/roles/ceph-common/tasks/checks/check_firewall.yml
deleted file mode 100644 (file)
index d1e6adb..0000000
--- a/roles/ceph-common/tasks/checks/check_firewall.yml
+++ /dev/null
@@ -1,117 +0,0 @@
----
-- name: check if nmap is installed
-  local_action:
-    module: command
-      command -v nmap
-  changed_when: false
-  failed_when: false
-  register: nmapexist
-  run_once: true
-  check_mode: no
-
-- name: inform that nmap is not present
-  debug:
-      msg: "nmap is not installed, can not test if ceph ports are allowed :("
-  run_once: true
-  when:
-    - nmapexist.rc != 0
-
-- name: check if monitor port is not filtered
-  local_action:
-    module: shell
-      set -o pipefail && nmap -p 6789 {{ hostvars[inventory_hostname]['ansible_' + monitor_interface]['ipv4']['address'] if hostvars[inventory_hostname]['ansible_' + monitor_interface] is defined else hostvars[inventory_hostname]['monitor_address'] }} | grep -sqo -e filtered -e '0 hosts up'
-  changed_when: false
-  failed_when: false
-  register: monportstate
-  check_mode: no
-  when:
-    - mon_group_name in group_names
-    - nmapexist.rc == 0
-
-- name: fail if monitor port is filtered
-  fail:
-      msg: "Please allow port 6789 on your firewall"
-  when:
-    - mon_group_name in group_names
-    - nmapexist.rc == 0
-    - monportstate.rc == 0
-
-- name: check if osd and mds range is not filtered (osd hosts)
-  local_action:
-    module: shell
-      set -o pipefail && nmap -p 6800-7300 {{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }} | grep -sqo -e filtered -e '0 hosts up'
-  changed_when: false
-  failed_when: false
-  register: osdrangestate
-  check_mode: no
-  when:
-    - osd_group_name in group_names
-    - nmapexist.rc == 0
-
-- name: fail if osd and mds range is filtered (osd hosts)
-  fail:
-      msg: "Please allow range from 6800 to 7300 on your firewall"
-  when:
-    - osd_group_name in group_names
-    - nmapexist.rc == 0
-    - osdrangestate.rc == 0
-
-- name: check if osd and mds range is not filtered (mds hosts)
-  local_action:
-    module: shell
-      set -o pipefail && nmap -p 6800-7300 {{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }} | grep -sqo -e filtered -e '0 hosts up'
-  changed_when: false
-  failed_when: false
-  register: mdsrangestate
-  check_mode: no
-  when:
-    - mds_group_name in group_names
-    - nmapexist.rc == 0
-
-- name: fail if osd and mds range is filtered (mds hosts)
-  fail:
-      msg: "Please allow range from 6800 to 7300 on your firewall"
-  when:
-    - mds_group_name in group_names
-    - nmapexist.rc == 0
-    - mdsrangestate.rc == 0
-
-- name: check if rados gateway port is not filtered
-  local_action:
-    module: shell
-      set -o pipefail && nmap -p {{ radosgw_frontend_port }} {{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }} | grep -sqo -e filtered -e '0 hosts up'
-  changed_when: false
-  failed_when: false
-  register: rgwportstate
-  check_mode: no
-  when:
-    - rgw_group_name in group_names
-    - nmapexist.rc == 0
-
-- name: fail if rados gateway port is filtered
-  fail:
-      msg: "Please allow port {{ radosgw_frontend_port }} on your firewall"
-  when:
-    - rgw_group_name in group_names
-    - nmapexist.rc == 0
-    - rgwportstate.rc == 0
-
-- name: check if NFS ports are not filtered
-  local_action:
-    module: shell
-      set -o pipefail && nmap -p 111,2049 {{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }} | grep -sqo -e filtered -e '0 hosts up'
-  changed_when: false
-  failed_when: false
-  register: nfsportstate
-  check_mode: no
-  when:
-    - nfs_group_name in group_names
-    - nmapexist.rc == 0
-
-- name: fail if NFS ports are filtered
-  fail:
-      msg: "Please allow ports 111 and 2049 on your firewall"
-  when:
-    - nfs_group_name in group_names
-    - nmapexist.rc == 0
-    - nfsportstate.rc == 0

diff --git a/roles/ceph-common/tasks/main.yml b/roles/ceph-common/tasks/main.yml
index 049cacf45c8df0761612bd8c983e1d74f90addb7..14b38787dafa90028937a98342e152eb19a274a7 100644 (file)
--- a/roles/ceph-common/tasks/main.yml
+++ b/roles/ceph-common/tasks/main.yml
@@ -53,11 +53,6 @@
   tags:
     - always
 
-- name: include_tasks checks/check_firewall.yml
-  include_tasks: checks/check_firewall.yml
-  when:
-    - check_firewall
-
 - name: include_tasks misc/configure_firewall_rpm.yml
   include_tasks: misc/configure_firewall_rpm.yml
   when:

diff --git a/roles/ceph-defaults/defaults/main.yml b/roles/ceph-defaults/defaults/main.yml
index 91e2aa5ea4f7696dd18b3ac641b09936f5b0120b..9a1905b04cf38c2ee984fe76ff3697b07da52e87 100644 (file)
--- a/roles/ceph-defaults/defaults/main.yml
+++ b/roles/ceph-defaults/defaults/main.yml
@@ -48,12 +48,6 @@ client_group_name: clients
 iscsi_gw_group_name: iscsigws
 mgr_group_name: mgrs
 
-# If check_firewall is true, then ansible will try to determine if the
-# Ceph ports are blocked by a firewall. If the machine running ansible
-# cannot reach the Ceph ports for some other reason, you may need or
-# want to set this to False to skip those checks.
-check_firewall: False
-
 # If configure_firewall is true, then ansible will try to configure the
 # appropriate firewalling rules so that Ceph daemons can communicate
 # with each others.