+++ /dev/null
----
-- name: check firewalld installation on redhat or suse
- command: rpm -q firewalld
- args:
- warn: no
- register: firewalld_pkg_query
- ignore_errors: true
- check_mode: no
- changed_when: false
- tags:
- - firewall
-
-- name: start firewalld
- service:
- name: firewalld
- state: started
- enabled: yes
- when:
- - firewalld_pkg_query.rc == 0
-
-- name: open monitor ports
- firewalld:
- service: ceph-mon
- zone: "{{ ceph_mon_firewall_zone }}"
- source: "{{ public_network }}"
- permanent: true
- immediate: false # if true then fails in case firewalld is stopped
- state: enabled
- notify: restart firewalld
- when:
- - mon_group_name is defined
- - mon_group_name in group_names
- - firewalld_pkg_query.rc == 0
- tags:
- - firewall
-
-- name: open manager ports
- firewalld:
- service: ceph
- zone: "{{ ceph_mgr_firewall_zone }}"
- source: "{{ public_network }}"
- permanent: true
- immediate: false # if true then fails in case firewalld is stopped
- state: enabled
- notify: restart firewalld
- when:
- - ceph_release_num[ceph_release] >= ceph_release_num.luminous
- - mgr_group_name is defined
- - mgr_group_name in group_names
- - firewalld_pkg_query.rc == 0
- tags:
- - firewall
-
-- name: open osd ports
- firewalld:
- service: ceph
- zone: "{{ ceph_osd_firewall_zone }}"
- source: "{{ item }}"
- permanent: true
- immediate: false # if true then fails in case firewalld is stopped
- state: enabled
- with_items:
- - "{{ public_network }}"
- - "{{ cluster_network }}"
- notify: restart firewalld
- when:
- - osd_group_name is defined
- - osd_group_name in group_names
- - firewalld_pkg_query.rc == 0
- tags:
- - firewall
-
-- name: open rgw ports
- firewalld:
- port: "{{ radosgw_frontend_port }}/tcp"
- zone: "{{ ceph_rgw_firewall_zone }}"
- source: "{{ public_network }}"
- permanent: true
- immediate: false # if true then fails in case firewalld is stopped
- state: enabled
- notify: restart firewalld
- when:
- - rgw_group_name is defined
- - rgw_group_name in group_names
- - firewalld_pkg_query.rc == 0
- tags:
- - firewall
-
-- name: open mds ports
- firewalld:
- service: ceph
- zone: "{{ ceph_mds_firewall_zone }}"
- source: "{{ public_network }}"
- permanent: true
- immediate: false # if true then fails in case firewalld is stopped
- state: enabled
- notify: restart firewalld
- when:
- - mds_group_name is defined
- - mds_group_name in group_names
- - firewalld_pkg_query.rc == 0
- tags:
- - firewall
-
-- name: open nfs ports
- firewalld:
- service: nfs
- zone: "{{ ceph_nfs_firewall_zone }}"
- source: "{{ public_network }}"
- permanent: true
- immediate: false # if true then fails in case firewalld is stopped
- state: enabled
- notify: restart firewalld
- when:
- - nfs_group_name is defined
- - nfs_group_name in group_names
- - firewalld_pkg_query.rc == 0
- tags:
- - firewall
-
-- name: open nfs ports (portmapper)
- firewalld:
- port: "111/tcp"
- zone: "{{ ceph_nfs_firewall_zone }}"
- source: "{{ public_network }}"
- permanent: true
- immediate: false # if true then fails in case firewalld is stopped
- state: enabled
- notify: restart firewalld
- when:
- - nfs_group_name is defined
- - nfs_group_name in group_names
- - firewalld_pkg_query.rc == 0
- tags:
- - firewall
-
-- name: open restapi ports
- firewalld:
- port: "{{ restapi_port }}/tcp"
- zone: "{{ ceph_restapi_firewall_zone }}"
- source: "{{ public_network }}"
- permanent: true
- immediate: false # if true then fails in case firewalld is stopped
- state: enabled
- notify: restart firewalld
- when:
- - restapi_group_name is defined
- - restapi_group_name in group_names
- - firewalld_pkg_query.rc == 0
- tags:
- - firewall
-
-- name: open rbdmirror ports
- firewalld:
- service: ceph
- zone: "{{ ceph_rbdmirror_firewall_zone }}"
- source: "{{ public_network }}"
- permanent: true
- immediate: false # if true then fails in case firewalld is stopped
- state: enabled
- notify: restart firewalld
- when:
- - rbdmirror_group_name is defined
- - rbdmirror_group_name in group_names
- - firewalld_pkg_query.rc == 0
- tags:
- - firewall
-
-- name: open iscsi ports
- firewalld:
- port: "5001/tcp"
- zone: "{{ ceph_iscsi_firewall_zone }}"
- source: "{{ public_network }}"
- permanent: true
- immediate: false # if true then fails in case firewalld is stopped
- state: enabled
- notify: restart firewalld
- when:
- - iscsi_group_name is defined
- - iscsi_group_name in group_names
- - firewalld_pkg_query.rc == 0
- tags:
- - firewall
-
-- meta: flush_handlers
--- /dev/null
+---
+- name: check firewalld installation on redhat or suse
+ command: rpm -q firewalld
+ args:
+ warn: no
+ register: firewalld_pkg_query
+ ignore_errors: true
+ check_mode: no
+ changed_when: false
+ tags:
+ - firewall
+ when:
+ - not containerized_deployment
+
+- name: start firewalld
+ service:
+ name: firewalld
+ state: started
+ enabled: yes
+ when:
+ - not firewalld_pkg_query.skipped
+ - firewalld_pkg_query.rc == 0
+ or is_atomic
+
+- name: open monitor ports
+ firewalld:
+ service: ceph-mon
+ zone: "{{ ceph_mon_firewall_zone }}"
+ source: "{{ public_network }}"
+ permanent: true
+ immediate: false # if true then fails in case firewalld is stopped
+ state: enabled
+ notify: restart firewalld
+ when:
+ - mon_group_name is defined
+ - mon_group_name in group_names
+ - firewalld_pkg_query.rc == 0
+ tags:
+ - firewall
+
+- name: open manager ports
+ firewalld:
+ service: ceph
+ zone: "{{ ceph_mgr_firewall_zone }}"
+ source: "{{ public_network }}"
+ permanent: true
+ immediate: false # if true then fails in case firewalld is stopped
+ state: enabled
+ notify: restart firewalld
+ when:
+ - ceph_release_num[ceph_release] >= ceph_release_num.luminous
+ - mgr_group_name is defined
+ - mgr_group_name in group_names
+ - firewalld_pkg_query.rc == 0
+ tags:
+ - firewall
+
+- name: open osd ports
+ firewalld:
+ service: ceph
+ zone: "{{ ceph_osd_firewall_zone }}"
+ source: "{{ item }}"
+ permanent: true
+ immediate: false # if true then fails in case firewalld is stopped
+ state: enabled
+ with_items:
+ - "{{ public_network }}"
+ - "{{ cluster_network }}"
+ notify: restart firewalld
+ when:
+ - osd_group_name is defined
+ - osd_group_name in group_names
+ - firewalld_pkg_query.rc == 0
+ tags:
+ - firewall
+
+- name: open rgw ports
+ firewalld:
+ port: "{{ radosgw_frontend_port }}/tcp"
+ zone: "{{ ceph_rgw_firewall_zone }}"
+ source: "{{ public_network }}"
+ permanent: true
+ immediate: false # if true then fails in case firewalld is stopped
+ state: enabled
+ notify: restart firewalld
+ when:
+ - rgw_group_name is defined
+ - rgw_group_name in group_names
+ - firewalld_pkg_query.rc == 0
+ tags:
+ - firewall
+
+- name: open mds ports
+ firewalld:
+ service: ceph
+ zone: "{{ ceph_mds_firewall_zone }}"
+ source: "{{ public_network }}"
+ permanent: true
+ immediate: false # if true then fails in case firewalld is stopped
+ state: enabled
+ notify: restart firewalld
+ when:
+ - mds_group_name is defined
+ - mds_group_name in group_names
+ - firewalld_pkg_query.rc == 0
+ tags:
+ - firewall
+
+- name: open nfs ports
+ firewalld:
+ service: nfs
+ zone: "{{ ceph_nfs_firewall_zone }}"
+ source: "{{ public_network }}"
+ permanent: true
+ immediate: false # if true then fails in case firewalld is stopped
+ state: enabled
+ notify: restart firewalld
+ when:
+ - nfs_group_name is defined
+ - nfs_group_name in group_names
+ - firewalld_pkg_query.rc == 0
+ tags:
+ - firewall
+
+- name: open nfs ports (portmapper)
+ firewalld:
+ port: "111/tcp"
+ zone: "{{ ceph_nfs_firewall_zone }}"
+ source: "{{ public_network }}"
+ permanent: true
+ immediate: false # if true then fails in case firewalld is stopped
+ state: enabled
+ notify: restart firewalld
+ when:
+ - nfs_group_name is defined
+ - nfs_group_name in group_names
+ - firewalld_pkg_query.rc == 0
+ tags:
+ - firewall
+
+- name: open restapi ports
+ firewalld:
+ port: "{{ restapi_port }}/tcp"
+ zone: "{{ ceph_restapi_firewall_zone }}"
+ source: "{{ public_network }}"
+ permanent: true
+ immediate: false # if true then fails in case firewalld is stopped
+ state: enabled
+ notify: restart firewalld
+ when:
+ - restapi_group_name is defined
+ - restapi_group_name in group_names
+ - firewalld_pkg_query.rc == 0
+ tags:
+ - firewall
+
+- name: open rbdmirror ports
+ firewalld:
+ service: ceph
+ zone: "{{ ceph_rbdmirror_firewall_zone }}"
+ source: "{{ public_network }}"
+ permanent: true
+ immediate: false # if true then fails in case firewalld is stopped
+ state: enabled
+ notify: restart firewalld
+ when:
+ - rbdmirror_group_name is defined
+ - rbdmirror_group_name in group_names
+ - firewalld_pkg_query.rc == 0
+ tags:
+ - firewall
+
+- name: open iscsi ports
+ firewalld:
+ port: "5001/tcp"
+ zone: "{{ ceph_iscsi_firewall_zone }}"
+ source: "{{ public_network }}"
+ permanent: true
+ immediate: false # if true then fails in case firewalld is stopped
+ state: enabled
+ notify: restart firewalld
+ when:
+ - iscsi_group_name is defined
+ - iscsi_group_name in group_names
+ - firewalld_pkg_query.rc == 0
+ tags:
+ - firewall
+
+- meta: flush_handlers
---
-- name: include_tasks configure_firewall_rpm.yml
- include_tasks: configure_firewall_rpm.yml
+- name: include_tasks configure_firewall.yml
+ include_tasks: configure_firewall.yml
when:
- configure_firewall
- ansible_os_family in ['RedHat', 'Suse']
include_tasks: "ntp_rpm.yml"
when:
- ansible_os_family in ['RedHat', 'Suse']
- - ntp_service_enabled
\ No newline at end of file
+ - ntp_service_enabled
- role: ceph-defaults
tags: [with_pkg, fetch_container_image]
- role: ceph-validate
+ - role: ceph-infra
- role: ceph-handler
- role: ceph-docker-common
tags: [with_pkg, fetch_container_image]
projects / ceph-ansible.git / commitdiff