ceph-common: add firewall rules for ceph-mgr

author Sébastien Han <seb@redhat.com>

Mon, 4 Jun 2018 02:40:14 +0000 (10:40 +0800)

committer Guillaume Abrioux <gabrioux@redhat.com>

Mon, 4 Jun 2018 10:11:41 +0000 (12:11 +0200)
author Sébastien Han <seb@redhat.com>
Mon, 4 Jun 2018 02:40:14 +0000 (10:40 +0800)
committer Guillaume Abrioux <gabrioux@redhat.com>
Mon, 4 Jun 2018 10:11:41 +0000 (12:11 +0200)
diff --git a/group_vars/all.yml.sample b/group_vars/all.yml.sample

index f80452dd0fab0daaeccf2f614f8ba04fc259fa95..754ffd194f6992b06c12ae3059ea50b071485d06 100644 (file)
--- a/group_vars/all.yml.sample
+++ b/group_vars/all.yml.sample
@@ -63,6 +63,7 @@ dummy:
  
  # Open ports on corresponding nodes if firewall is installed on it
  #ceph_mon_firewall_zone: public
+#ceph_mgr_firewall_zone: public
  #ceph_osd_firewall_zone: public
  #ceph_rgw_firewall_zone: public
  #ceph_mds_firewall_zone: public
diff --git a/group_vars/rhcs.yml.sample b/group_vars/rhcs.yml.sample

index 45b7e3ed10898290dbb45e87272efb71f7089055..10157571ad24b791e4dae2828ab7d7811556938f 100644 (file)
--- a/group_vars/rhcs.yml.sample
+++ b/group_vars/rhcs.yml.sample
@@ -63,6 +63,7 @@ fetch_directory: ~/ceph-ansible-keys
  
  # Open ports on corresponding nodes if firewall is installed on it
  #ceph_mon_firewall_zone: public
+#ceph_mgr_firewall_zone: public
  #ceph_osd_firewall_zone: public
  #ceph_rgw_firewall_zone: public
  #ceph_mds_firewall_zone: public
diff --git a/roles/ceph-common/tasks/misc/configure_firewall_rpm.yml b/roles/ceph-common/tasks/misc/configure_firewall_rpm.yml

index f6da3cb4f62f5f15db02a2e3c75eb836383f9752..b422a47637c7a5c07fdf168b881268105564035f 100644 (file)
--- a/roles/ceph-common/tasks/misc/configure_firewall_rpm.yml
+++ b/roles/ceph-common/tasks/misc/configure_firewall_rpm.yml
@@ -25,6 +25,22 @@
    tags:
      - firewall
  
+- name: open manager ports
+  firewalld:
+    service: ceph
+    zone: "{{ ceph_mgr_firewall_zone }}"
+    permanent: true
+    immediate: false # if true then fails in case firewalld is stopped
+    state: enabled
+  notify: restart firewalld
+  when:
+    - ceph_release_num[ceph_release] >= ceph_release_num.luminous
+    - mgr_group_name is defined
+    - mgr_group_name in group_names
+    - firewalld_pkg_query.rc == 0
+  tags:
+    - firewall
+
  - name: open osd ports
    firewalld:
      service: ceph
diff --git a/roles/ceph-defaults/defaults/main.yml b/roles/ceph-defaults/defaults/main.yml

index eb74c496418356b9e98230fa157ab265df4bef46..4f009091000e53f24133aa4ecfa1709b234276b4 100644 (file)
--- a/roles/ceph-defaults/defaults/main.yml
+++ b/roles/ceph-defaults/defaults/main.yml
@@ -55,6 +55,7 @@ check_firewall: False
  
  # Open ports on corresponding nodes if firewall is installed on it
  ceph_mon_firewall_zone: public
+ceph_mgr_firewall_zone: public
  ceph_osd_firewall_zone: public
  ceph_rgw_firewall_zone: public
  ceph_mds_firewall_zone: public
author	Sébastien Han <seb@redhat.com>
	Mon, 4 Jun 2018 02:40:14 +0000 (10:40 +0800)
committer	Guillaume Abrioux <gabrioux@redhat.com>
	Mon, 4 Jun 2018 10:11:41 +0000 (12:11 +0200)
group_vars/all.yml.sample		patch \| blob \| history
group_vars/rhcs.yml.sample		patch \| blob \| history
roles/ceph-common/tasks/misc/configure_firewall_rpm.yml		patch \| blob \| history
roles/ceph-defaults/defaults/main.yml		patch \| blob \| history