# want to set this to False to skip those checks.
#check_firewall: False
-# Note: this task will only configure pre-installed firewall
-#configure_firewall: False
-#ceph_mon_firewall_zone: dmz
-#ceph_osd_firewall_zone: dmz
-#ceph_rgw_firewall_zone: dmz
+# Open ports on corresponding nodes if firewall is installed on it
+#ceph_mon_firewall_zone: public
+#ceph_osd_firewall_zone: public
+#ceph_rgw_firewall_zone: public
+#ceph_mds_firewall_zone: public
+#ceph_nfs_firewall_zone: public
+#ceph_restapi_firewall_zone: public
+#ceph_rbdmirror_firewall_zone: public
+#ceph_iscsi_firewall_zone: public
############
# PACKAGES #
# want to set this to False to skip those checks.
#check_firewall: False
-# Note: this task will only configure pre-installed firewall
-#configure_firewall: False
-#ceph_mon_firewall_zone: dmz
-#ceph_osd_firewall_zone: dmz
-#ceph_rgw_firewall_zone: dmz
+# Open ports on corresponding nodes if firewall is installed on it
+#ceph_mon_firewall_zone: public
+#ceph_osd_firewall_zone: public
+#ceph_rgw_firewall_zone: public
+#ceph_mds_firewall_zone: public
+#ceph_nfs_firewall_zone: public
+#ceph_restapi_firewall_zone: public
+#ceph_rbdmirror_firewall_zone: public
+#ceph_iscsi_firewall_zone: public
############
# PACKAGES #
# Hard code this so we will skip the entire file instead of individual tasks (Default isn't Consistent)
static: False
-- name: include misc/configure_firewall.yml
- include: misc/configure_firewall.yml
+- name: include misc/configure_firewall_rpm.yml
+ include: misc/configure_firewall_rpm.yml
when:
- - configure_firewall
+ - ansible_os_family in ['RedHat', 'Suse']
# Hard code this so we will skip the entire file instead of individual tasks (Default isn't Consistent)
static: False
+++ /dev/null
----
-- name: check firewalld installation on redhat
- command: rpm -q firewalld
- register: firewalld
- ignore_errors: true
- always_run: true
- changed_when: false
- when: ansible_os_family == 'RedHat'
- tags:
- - firewall
-
-- name: open monitor ports
- firewalld:
- service: ceph-mon
- zone: "{{ ceph_mon_firewall_zone }}"
- permanent: true
- immediate: false # if true then fails in case firewalld is stopped
- state: enabled
- notify: restart firewalld
- when:
- - mon_group_name is defined
- - mon_group_name in group_names
- - firewalld.rc == 0
- tags:
- - firewall
-
-- name: open osd ports
- firewalld:
- service: ceph
- zone: "{{ ceph_osd_firewall_zone }}"
- permanent: true
- immediate: false # if true then fails in case firewalld is stopped
- state: enabled
- notify: restart firewalld
- when:
- - osd_group_name is defined
- - osd_group_name in group_names
- - firewalld.rc == 0
- tags:
- - firewall
-
-- name: open rgw ports
- firewalld:
- port: "{{ radosgw_civetweb_port }}/tcp"
- zone: "{{ ceph_rgw_firewall_zone }}"
- permanent: true
- immediate: false # if true then fails in case firewalld is stopped
- state: enabled
- notify: restart firewalld
- when:
- - rgw_group_name is defined
- - rgw_group_name in group_names
- - firewalld.rc == 0
- tags:
- - firewall
-
-- meta: flush_handlers
--- /dev/null
+---
+- name: check firewalld installation on redhat or suse
+ command: rpm -q firewalld
+ args:
+ warn: no
+ register: firewalld_pkg_query
+ ignore_errors: true
+ check_mode: no
+ changed_when: false
+ tags:
+ - firewall
+
+- name: open monitor ports
+ firewalld:
+ service: ceph-mon
+ zone: "{{ ceph_mon_firewall_zone }}"
+ permanent: true
+ immediate: false # if true then fails in case firewalld is stopped
+ state: enabled
+ notify: restart firewalld
+ when:
+ - mon_group_name is defined
+ - mon_group_name in group_names
+ - firewalld_pkg_query.rc == 0
+ tags:
+ - firewall
+
+- name: open osd ports
+ firewalld:
+ service: ceph
+ zone: "{{ ceph_osd_firewall_zone }}"
+ permanent: true
+ immediate: false # if true then fails in case firewalld is stopped
+ state: enabled
+ notify: restart firewalld
+ when:
+ - osd_group_name is defined
+ - osd_group_name in group_names
+ - firewalld_pkg_query.rc == 0
+ tags:
+ - firewall
+
+- name: open rgw ports
+ firewalld:
+ port: "{{ radosgw_civetweb_port }}/tcp"
+ zone: "{{ ceph_rgw_firewall_zone }}"
+ permanent: true
+ immediate: false # if true then fails in case firewalld is stopped
+ state: enabled
+ notify: restart firewalld
+ when:
+ - rgw_group_name is defined
+ - rgw_group_name in group_names
+ - firewalld_pkg_query.rc == 0
+ tags:
+ - firewall
+
+- name: open mds ports
+ firewalld:
+ service: ceph
+ zone: "{{ ceph_mds_firewall_zone }}"
+ permanent: true
+ immediate: false # if true then fails in case firewalld is stopped
+ state: enabled
+ notify: restart firewalld
+ when:
+ - mds_group_name is defined
+ - mds_group_name in group_names
+ - firewalld_pkg_query.rc == 0
+ tags:
+ - firewall
+
+- name: open nfs ports
+ firewalld:
+ service: nfs
+ zone: "{{ ceph_nfs_firewall_zone }}"
+ permanent: true
+ immediate: false # if true then fails in case firewalld is stopped
+ state: enabled
+ notify: restart firewalld
+ when:
+ - nfs_group_name is defined
+ - nfs_group_name in group_names
+ - firewalld_pkg_query.rc == 0
+ tags:
+ - firewall
+
+- name: open nfs ports (portmapper)
+ firewalld:
+ port: "111/tcp"
+ zone: "{{ ceph_nfs_firewall_zone }}"
+ permanent: true
+ immediate: false # if true then fails in case firewalld is stopped
+ state: enabled
+ notify: restart firewalld
+ when:
+ - nfs_group_name is defined
+ - nfs_group_name in group_names
+ - firewalld_pkg_query.rc == 0
+ tags:
+ - firewall
+
+- name: open restapi ports
+ firewalld:
+ port: "{{ restapi_port }}/tcp"
+ zone: "{{ ceph_restapi_firewall_zone }}"
+ permanent: true
+ immediate: false # if true then fails in case firewalld is stopped
+ state: enabled
+ notify: restart firewalld
+ when:
+ - restapi_group_name is defined
+ - restapi_group_name in group_names
+ - firewalld_pkg_query.rc == 0
+ tags:
+ - firewall
+
+- name: open rbdmirror ports
+ firewalld:
+ service: ceph
+ zone: "{{ ceph_rbdmirror_firewall_zone }}"
+ permanent: true
+ immediate: false # if true then fails in case firewalld is stopped
+ state: enabled
+ notify: restart firewalld
+ when:
+ - rbdmirror_group_name is defined
+ - rbdmirror_group_name in group_names
+ - firewalld_pkg_query.rc == 0
+ tags:
+ - firewall
+
+- name: open iscsi ports
+ firewalld:
+ port: "5001/tcp"
+ zone: "{{ ceph_iscsi_firewall_zone }}"
+ permanent: true
+ immediate: false # if true then fails in case firewalld is stopped
+ state: enabled
+ notify: restart firewalld
+ when:
+ - iscsi_group_name is defined
+ - iscsi_group_name in group_names
+ - firewalld_pkg_query.rc == 0
+ tags:
+ - firewall
+
+- meta: flush_handlers
# want to set this to False to skip those checks.
check_firewall: False
-# Note: this task will only configure pre-installed firewall
-configure_firewall: False
-ceph_mon_firewall_zone: dmz
-ceph_osd_firewall_zone: dmz
-ceph_rgw_firewall_zone: dmz
+# Open ports on corresponding nodes if firewall is installed on it
+ceph_mon_firewall_zone: public
+ceph_osd_firewall_zone: public
+ceph_rgw_firewall_zone: public
+ceph_mds_firewall_zone: public
+ceph_nfs_firewall_zone: public
+ceph_restapi_firewall_zone: public
+ceph_rbdmirror_firewall_zone: public
+ceph_iscsi_firewall_zone: public
############
# PACKAGES #
projects / ceph-ansible.git / commitdiff