revert infra: don't restart firewalld if unit is masked

author Guillaume Abrioux <gabrioux@redhat.com>

Fri, 30 Nov 2018 16:12:21 +0000 (17:12 +0100)

committer Guillaume Abrioux <gabrioux@redhat.com>

Tue, 4 Dec 2018 16:31:31 +0000 (17:31 +0100)
author Guillaume Abrioux <gabrioux@redhat.com>
Fri, 30 Nov 2018 16:12:21 +0000 (17:12 +0100)
committer Guillaume Abrioux <gabrioux@redhat.com>
Tue, 4 Dec 2018 16:31:31 +0000 (17:31 +0100)
diff --git a/roles/ceph-defaults/tasks/facts.yml b/roles/ceph-defaults/tasks/facts.yml

index 4a3f6cf4ceb17259c9fae0059ebfa3e9a160c17e..0eb1d3a2c2cd5d2ed9b43971a58430a6232e1f59 100644 (file)
--- a/roles/ceph-defaults/tasks/facts.yml
+++ b/roles/ceph-defaults/tasks/facts.yml
@@ -247,6 +247,3 @@
  - name: set_fact osd_pool_default_size
    set_fact:
      osd_pool_default_size: "{{ ceph_conf_overrides.get('global', {}).get('osd_pool_default_size', ceph_osd_pool_default_size) }}"
-
-- name: populate service facts
-  service_facts:
diff --git a/roles/ceph-infra/handlers/main.yml b/roles/ceph-infra/handlers/main.yml

index dc97de47b2dcf64574e6a44c470cc4809bc2ac3f..49fb8e843bc23f19c04d9353179e65bbe6affbec 100644 (file)
--- a/roles/ceph-infra/handlers/main.yml
+++ b/roles/ceph-infra/handlers/main.yml
@@ -3,7 +3,4 @@
    service:
      name: firewalld
      state: restarted
-    enabled: yes
-  when:
-    - ansible_facts['services']['firewalld.service'] is defined
-    - ansible_facts['services']['firewalld.service']['state'] != 'masked'
-\ No newline at end of file
+    enabled: yes
+\ No newline at end of file
diff --git a/roles/ceph-infra/tasks/configure_firewall.yml b/roles/ceph-infra/tasks/configure_firewall.yml

index e316c7f63aadbf1f42ed39536960809dbdaa8331..aed0e26178b4bb9d1edb795bde13d69012b59e3e 100644 (file)
--- a/roles/ceph-infra/tasks/configure_firewall.yml
+++ b/roles/ceph-infra/tasks/configure_firewall.yml
@@ -12,192 +12,171 @@
    when:
      - not containerized_deployment
  
-- name: start firewalld
-  service:
-    name: firewalld
-    state: started
-    enabled: yes
-  when:
-    - firewalld_pkg_query.get('rc', 1) == 0
-      or is_atomic
+- block:
+  - name: start firewalld
+    service:
+      name: firewalld
+      state: started
+      enabled: yes
  
-- name: open monitor ports
-  firewalld:
-    service: ceph-mon
-    zone: "{{ ceph_mon_firewall_zone }}"
-    source: "{{ public_network }}"
-    permanent: true
-    immediate: true
-    state: enabled
-  notify: restart firewalld
-  when:
-    - mon_group_name is defined
-    - mon_group_name in group_names
-    - (firewalld_pkg_query.get('rc', 1) == 0 or is_atomic)
-  tags:
-    - firewall
+  - name: open monitor and manager ports
+    firewalld:
+      service: "{{ item.service }}"
+      zone: "{{ item.zone }}"
+      source: "{{ public_network }}"
+      permanent: true
+      immediate: true
+      state: enabled
+    notify: restart firewalld
+    with_items:
+      - { 'service': 'ceph-mon', 'zone': "{{ ceph_mon_firewall_zone }}" }
+      - { 'service': 'ceph', 'zone': "{{ ceph_mgr_firewall_zone }}" }
+    when:
+      - mon_group_name is defined
+      - mon_group_name in group_names
+    tags:
+      - firewall
  
-- name: open manager ports
-  firewalld:
-    service: ceph
-    zone: "{{ ceph_mgr_firewall_zone }}"
-    source: "{{ public_network }}"
-    permanent: true
-    immediate: true
-    state: enabled
-  notify: restart firewalld
-  when:
-    - mgr_group_name is defined
-    - mgr_group_name in group_names
-    - (firewalld_pkg_query.get('rc', 1) == 0 or is_atomic)
-  tags:
-    - firewall
+  - name: open manager ports
+    firewalld:
+      service: ceph
+      zone: "{{ ceph_mgr_firewall_zone }}"
+      source: "{{ public_network }}"
+      permanent: true
+      immediate: true
+      state: enabled
+    notify: restart firewalld
+    when:
+      - mgr_group_name is defined
+      - mgr_group_name in group_names
+    tags:
+      - firewall
  
-- name: open osd ports
-  firewalld:
-    service: ceph
-    zone: "{{ ceph_osd_firewall_zone }}"
-    source: "{{ item }}"
-    permanent: true
-    immediate: true
-    state: enabled
-  with_items:
-    - "{{ public_network }}"
-    - "{{ cluster_network }}"
-  notify: restart firewalld
-  when:
-    - osd_group_name is defined
-    - osd_group_name in group_names
-    - (firewalld_pkg_query.get('rc', 1) == 0 or is_atomic)
-  tags:
-    - firewall
+  - name: open osd ports
+    firewalld:
+      service: ceph
+      zone: "{{ ceph_osd_firewall_zone }}"
+      source: "{{ item }}"
+      permanent: true
+      immediate: true
+      state: enabled
+    with_items:
+      - "{{ public_network }}"
+      - "{{ cluster_network }}"
+    notify: restart firewalld
+    when:
+      - osd_group_name is defined
+      - osd_group_name in group_names
+    tags:
+      - firewall
  
-- name: open rgw ports
-  firewalld:
-    port: "{{ radosgw_frontend_port }}/tcp"
-    zone: "{{ ceph_rgw_firewall_zone }}"
-    source: "{{ public_network }}"
-    permanent: true
-    immediate: true
-    state: enabled
-  notify: restart firewalld
-  when:
-    - rgw_group_name is defined
-    - rgw_group_name in group_names
-    - (firewalld_pkg_query.get('rc', 1) == 0 or is_atomic)
-  tags:
-    - firewall
+  - name: open rgw ports
+    firewalld:
+      port: "{{ radosgw_frontend_port }}/tcp"
+      zone: "{{ ceph_rgw_firewall_zone }}"
+      source: "{{ public_network }}"
+      permanent: true
+      immediate: true
+      state: enabled
+    notify: restart firewalld
+    when:
+      - rgw_group_name is defined
+      - rgw_group_name in group_names
+    tags:
+      - firewall
  
-- name: open mds ports
-  firewalld:
-    service: ceph
-    zone: "{{ ceph_mds_firewall_zone }}"
-    source: "{{ public_network }}"
-    permanent: true
-    immediate: true
-    state: enabled
-  notify: restart firewalld
-  when:
-    - mds_group_name is defined
-    - mds_group_name in group_names
-    - (firewalld_pkg_query.get('rc', 1) == 0 or is_atomic)
-  tags:
-    - firewall
+  - name: open mds ports
+    firewalld:
+      service: ceph
+      zone: "{{ ceph_mds_firewall_zone }}"
+      source: "{{ public_network }}"
+      permanent: true
+      immediate: true
+      state: enabled
+    notify: restart firewalld
+    when:
+      - mds_group_name is defined
+      - mds_group_name in group_names
+    tags:
+      - firewall
  
-- name: open nfs ports
-  firewalld:
-    service: nfs
-    zone: "{{ ceph_nfs_firewall_zone }}"
-    source: "{{ public_network }}"
-    permanent: true
-    immediate: true
-    state: enabled
-  notify: restart firewalld
-  when:
-    - nfs_group_name is defined
-    - nfs_group_name in group_names
-    - (firewalld_pkg_query.get('rc', 1) == 0 or is_atomic)
-  tags:
-    - firewall
+  - name: open nfs ports
+    firewalld:
+      service: nfs
+      zone: "{{ ceph_nfs_firewall_zone }}"
+      source: "{{ public_network }}"
+      permanent: true
+      immediate: true
+      state: enabled
+    notify: restart firewalld
+    when:
+      - nfs_group_name is defined
+      - nfs_group_name in group_names
+    tags:
+      - firewall
  
-- name: open nfs ports (portmapper)
-  firewalld:
-    port: "111/tcp"
-    zone: "{{ ceph_nfs_firewall_zone }}"
-    source: "{{ public_network }}"
-    permanent: true
-    immediate: true
-    state: enabled
-  notify: restart firewalld
-  when:
-    - nfs_group_name is defined
-    - nfs_group_name in group_names
-    - (firewalld_pkg_query.get('rc', 1) == 0 or is_atomic)
-  tags:
-    - firewall
+  - name: open nfs ports (portmapper)
+    firewalld:
+      port: "111/tcp"
+      zone: "{{ ceph_nfs_firewall_zone }}"
+      source: "{{ public_network }}"
+      permanent: true
+      immediate: true
+      state: enabled
+    notify: restart firewalld
+    when:
+      - nfs_group_name is defined
+      - nfs_group_name in group_names
+    tags:
+      - firewall
  
-- name: open restapi ports
-  firewalld:
-    port: "{{ restapi_port }}/tcp"
-    zone: "{{ ceph_restapi_firewall_zone }}"
-    source: "{{ public_network }}"
-    permanent: true
-    immediate: true
-    state: enabled
-  notify: restart firewalld
-  when:
-    - restapi_group_name is defined
-    - restapi_group_name in group_names
-    - (firewalld_pkg_query.get('rc', 1) == 0 or is_atomic)
-  tags:
-    - firewall
+  - name: open rbdmirror ports
+    firewalld:
+      service: ceph
+      zone: "{{ ceph_rbdmirror_firewall_zone }}"
+      source: "{{ public_network }}"
+      permanent: true
+      immediate: true
+      state: enabled
+    notify: restart firewalld
+    when:
+      - rbdmirror_group_name is defined
+      - rbdmirror_group_name in group_names
+    tags:
+      - firewall
  
-- name: open rbdmirror ports
-  firewalld:
-    service: ceph
-    zone: "{{ ceph_rbdmirror_firewall_zone }}"
-    source: "{{ public_network }}"
-    permanent: true
-    immediate: true
-    state: enabled
-  notify: restart firewalld
-  when:
-    - rbdmirror_group_name is defined
-    - rbdmirror_group_name in group_names
-    - (firewalld_pkg_query.get('rc', 1) == 0 or is_atomic)
-  tags:
-    - firewall
+  - name: open iscsi target ports
+    firewalld:
+      port: "3260/tcp"
+      zone: "{{ ceph_iscsi_firewall_zone }}"
+      source: "{{ public_network }}"
+      permanent: true
+      immediate: true
+      state: enabled
+    notify: restart firewalld
+    when:
+      - iscsi_gw_group_name is defined
+      - iscsi_gw_group_name in group_names
+    tags:
+      - firewall
  
-- name: open iscsi target ports
-  firewalld:
-    port: "3260/tcp"
-    zone: "{{ ceph_iscsi_firewall_zone }}"
-    source: "{{ public_network }}"
-    permanent: true
-    immediate: true
-    state: enabled
-  notify: restart firewalld
-  when:
-    - iscsi_gw_group_name is defined
-    - iscsi_gw_group_name in group_names
-    - (firewalld_pkg_query.get('rc', 1) == 0 or is_atomic)
-  tags:
-    - firewall
+  - name: open iscsi api ports
+    firewalld:
+      port: "{{ api_port | default(5000) }}/tcp"
+      zone: "{{ ceph_iscsi_firewall_zone }}"
+      source: "{{ public_network }}"
+      permanent: true
+      immediate: true
+      state: enabled
+    notify: restart firewalld
+    when:
+      - iscsi_gw_group_name is defined
+      - iscsi_gw_group_name in group_names
+    tags:
+      - firewall
  
-- name: open iscsi api ports
-  firewalld:
-    port: "{{ api_port | default(5000) }}/tcp"
-    zone: "{{ ceph_iscsi_firewall_zone }}"
-    source: "{{ public_network }}"
-    permanent: true
-    immediate: true
-    state: enabled
-  notify: restart firewalld
    when:
-    - iscsi_gw_group_name is defined
-    - iscsi_gw_group_name in group_names
-    - (firewalld_pkg_query.get('rc', 1) == 0 or is_atomic)
-  tags:
-    - firewall
+    - (firewalld_pkg_query.get('rc', 1) == 0
+      or is_atomic)
  
  - meta: flush_handlers
author	Guillaume Abrioux <gabrioux@redhat.com>
	Fri, 30 Nov 2018 16:12:21 +0000 (17:12 +0100)
committer	Guillaume Abrioux <gabrioux@redhat.com>
	Tue, 4 Dec 2018 16:31:31 +0000 (17:31 +0100)
roles/ceph-defaults/tasks/facts.yml		patch \| blob \| history
roles/ceph-infra/handlers/main.yml		patch \| blob \| history
roles/ceph-infra/tasks/configure_firewall.yml		patch \| blob \| history