From: Dimitri Savineau Date: Fri, 15 Nov 2019 15:11:33 +0000 (-0500) Subject: ceph-infra: split firewalld tasks X-Git-Tag: v6.0.0alpha1~41 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=45fb9241c06ae46486c0fb9664decfaa87600acf;p=ceph-ansible.git ceph-infra: split firewalld tasks Since ansible 2.9 the firewalld task could not be used with service and source in the same time anymore. Signed-off-by: Dimitri Savineau --- diff --git a/roles/ceph-infra/tasks/configure_firewall.yml b/roles/ceph-infra/tasks/configure_firewall.yml index 02e400fd1..acf730097 100644 --- a/roles/ceph-infra/tasks/configure_firewall.yml +++ b/roles/ceph-infra/tasks/configure_firewall.yml @@ -11,197 +11,282 @@ - when: (firewalld_pkg_query.get('rc', 1) == 0 or is_atomic | bool) + tags: firewall block: - - name: start firewalld - service: - name: firewalld - state: started - enabled: yes - - - name: open monitor and manager ports - firewalld: - service: "{{ item[1].service }}" - zone: "{{ item[1].zone }}" - source: "{{ item[0] }}" - permanent: true - immediate: true - state: enabled - with_nested: - - "{{ public_network.split(',') }}" - - - { 'service': 'ceph-mon', 'zone': "{{ ceph_mon_firewall_zone }}" } + - name: start firewalld + service: + name: firewalld + state: started + enabled: yes + + - name: open ceph networks on monitor + firewalld: + zone: "{{ ceph_mon_firewall_zone }}" + source: "{{ item }}" + permanent: true + immediate: true + state: enabled + with_items: "{{ public_network.split(',') }}" + when: + - mon_group_name is defined + - mon_group_name in group_names + + - name: open ceph networks on manager when collocated + firewalld: + zone: "{{ ceph_mgr_firewall_zone }}" + source: "{{ item }}" + permanent: true + immediate: true + state: enabled + with_items: "{{ public_network.split(',') }}" + when: + - mon_group_name is defined + - mon_group_name in group_names + - mgr_group_name | length == 0 + + - name: open monitor and manager ports + firewalld: + service: "{{ item.service }}" + zone: "{{ item.zone }}" + permanent: true + immediate: true + state: enabled + with_items: + - { 'service': 'ceph-mon', 'zone': "{{ ceph_mon_firewall_zone }}" } - { 'service': 'ceph', 'zone': "{{ ceph_mgr_firewall_zone }}" } - when: - - mon_group_name is defined - - mon_group_name in group_names - tags: firewall - - - name: open manager ports - firewalld: - service: ceph - zone: "{{ ceph_mgr_firewall_zone }}" - source: "{{ item }}" - permanent: true - immediate: true - state: enabled - with_items: "{{ public_network.split(',') }}" - when: - - mgr_group_name is defined - - mgr_group_name in group_names - tags: firewall - - - name: open osd ports - firewalld: - service: ceph - zone: "{{ ceph_osd_firewall_zone }}" - source: "{{ item }}" - permanent: true - immediate: true - state: enabled - with_items: "{{ public_network.split(',') | union(cluster_network.split(',')) }}" - when: - - osd_group_name is defined - - osd_group_name in group_names - tags: firewall - - - name: open rgw ports - firewalld: - port: "{{ radosgw_frontend_port }}/tcp" - zone: "{{ ceph_rgw_firewall_zone }}" - source: "{{ item }}" - permanent: true - immediate: true - state: enabled - with_items: "{{ public_network.split(',') }}" - when: - - rgw_group_name is defined - - rgw_group_name in group_names - tags: firewall - - - name: open mds ports - firewalld: - service: ceph - zone: "{{ ceph_mds_firewall_zone }}" - source: "{{ item }}" - permanent: true - immediate: true - state: enabled - with_items: "{{ public_network.split(',') }}" - when: - - mds_group_name is defined - - mds_group_name in group_names - tags: firewall - - - name: open nfs ports - firewalld: - service: nfs - zone: "{{ ceph_nfs_firewall_zone }}" - source: "{{ item }}" - permanent: true - immediate: true - state: enabled - with_items: "{{ public_network.split(',') }}" - when: - - nfs_group_name is defined - - nfs_group_name in group_names - tags: firewall - - - name: open nfs ports (portmapper) - firewalld: - port: "111/tcp" - zone: "{{ ceph_nfs_firewall_zone }}" - source: "{{ item }}" - permanent: true - immediate: true - state: enabled - with_items: "{{ public_network.split(',') }}" - when: - - nfs_group_name is defined - - nfs_group_name in group_names - tags: firewall - - - name: open rbdmirror ports - firewalld: - service: ceph - zone: "{{ ceph_rbdmirror_firewall_zone }}" - source: "{{ item }}" - permanent: true - immediate: true - state: enabled - with_items: "{{ public_network.split(',') }}" - when: - - rbdmirror_group_name is defined - - rbdmirror_group_name in group_names - tags: firewall - - - name: open iscsi target ports - firewalld: - port: "3260/tcp" - zone: "{{ ceph_iscsi_firewall_zone }}" - source: "{{ item }}" - permanent: true - immediate: true - state: enabled - with_items: "{{ public_network.split(',') }}" - when: - - iscsi_gw_group_name is defined - - iscsi_gw_group_name in group_names - tags: firewall - - - name: open iscsi api ports - firewalld: - port: "{{ api_port | default(5000) }}/tcp" - zone: "{{ ceph_iscsi_firewall_zone }}" - source: "{{ item }}" - permanent: true - immediate: true - state: enabled - with_items: "{{ public_network.split(',') }}" - when: - - iscsi_gw_group_name is defined - - iscsi_gw_group_name in group_names - tags: firewall - - - name: open iscsi/prometheus port - firewalld: - port: "9287/tcp" - zone: "{{ ceph_iscsi_firewall_zone }}" - permanent: true - immediate: true - state: enabled - when: - - iscsi_gw_group_name is defined - - iscsi_gw_group_name in group_names - tags: firewall - - - name: open dashboard ports - include_tasks: dashboard_firewall.yml - when: dashboard_enabled | bool - - - name: open haproxy ports - firewalld: - port: "{{ haproxy_frontend_port | default(80) }}/tcp" - zone: "{{ ceph_rgwloadbalancer_firewall_zone }}" - source: "{{ item }}" - permanent: true - immediate: true - state: enabled - with_items: "{{ public_network.split(',') }}" - when: - - rgwloadbalancer_group_name is defined - - rgwloadbalancer_group_name in group_names - tags: - - firewall - - - name: add rich rule for keepalived vrrp - firewalld: - rich_rule: 'rule protocol value="vrrp" accept' - permanent: true - immediate: true - state: enabled - when: - - rgwloadbalancer_group_name is defined - - rgwloadbalancer_group_name in group_names - tags: - - firewall - -- meta: flush_handlers + when: + - mon_group_name is defined + - mon_group_name in group_names + + - name: open ceph networks on manager when dedicated + firewalld: + zone: "{{ ceph_mgr_firewall_zone }}" + source: "{{ item }}" + permanent: true + immediate: true + state: enabled + with_items: "{{ public_network.split(',') }}" + when: + - mgr_group_name is defined + - mgr_group_name in group_names + - mgr_group_name | length > 0 + + - name: open manager ports + firewalld: + service: ceph + zone: "{{ ceph_mgr_firewall_zone }}" + permanent: true + immediate: true + state: enabled + when: + - mgr_group_name is defined + - mgr_group_name in group_names + + - name: open ceph networks on osd + firewalld: + zone: "{{ ceph_osd_firewall_zone }}" + source: "{{ item }}" + permanent: true + immediate: true + state: enabled + with_items: "{{ public_network.split(',') | union(cluster_network.split(',')) }}" + when: + - osd_group_name is defined + - osd_group_name in group_names + + - name: open osd ports + firewalld: + service: ceph + zone: "{{ ceph_osd_firewall_zone }}" + permanent: true + immediate: true + state: enabled + when: + - osd_group_name is defined + - osd_group_name in group_names + + - name: open ceph networks on rgw + firewalld: + zone: "{{ ceph_rgw_firewall_zone }}" + source: "{{ item }}" + permanent: true + immediate: true + state: enabled + with_items: "{{ public_network.split(',') }}" + when: + - rgw_group_name is defined + - rgw_group_name in group_names + + - name: open rgw ports + firewalld: + port: "{{ radosgw_frontend_port }}/tcp" + zone: "{{ ceph_rgw_firewall_zone }}" + permanent: true + immediate: true + state: enabled + when: + - rgw_group_name is defined + - rgw_group_name in group_names + + - name: open ceph networks on mds + firewalld: + zone: "{{ ceph_mds_firewall_zone }}" + source: "{{ item }}" + permanent: true + immediate: true + state: enabled + with_items: "{{ public_network.split(',') }}" + when: + - mds_group_name is defined + - mds_group_name in group_names + + - name: open mds ports + firewalld: + service: ceph + zone: "{{ ceph_mds_firewall_zone }}" + permanent: true + immediate: true + state: enabled + with_items: "{{ public_network.split(',') }}" + when: + - mds_group_name is defined + - mds_group_name in group_names + + - name: open ceph networks on nfs + firewalld: + zone: "{{ ceph_nfs_firewall_zone }}" + source: "{{ item }}" + permanent: true + immediate: true + state: enabled + with_items: "{{ public_network.split(',') }}" + when: + - nfs_group_name is defined + - nfs_group_name in group_names + + - name: open nfs ports + firewalld: + service: nfs + zone: "{{ ceph_nfs_firewall_zone }}" + permanent: true + immediate: true + state: enabled + when: + - nfs_group_name is defined + - nfs_group_name in group_names + + - name: open nfs ports (portmapper) + firewalld: + port: "111/tcp" + zone: "{{ ceph_nfs_firewall_zone }}" + permanent: true + immediate: true + state: enabled + when: + - nfs_group_name is defined + - nfs_group_name in group_names + + - name: open ceph networks on rbdmirror + firewalld: + zone: "{{ ceph_rbdmirror_firewall_zone }}" + source: "{{ item }}" + permanent: true + immediate: true + state: enabled + with_items: "{{ public_network.split(',') }}" + when: + - rbdmirror_group_name is defined + - rbdmirror_group_name in group_names + + - name: open rbdmirror ports + firewalld: + service: ceph + zone: "{{ ceph_rbdmirror_firewall_zone }}" + permanent: true + immediate: true + state: enabled + when: + - rbdmirror_group_name is defined + - rbdmirror_group_name in group_names + + - name: open ceph networks on iscsi + firewalld: + zone: "{{ ceph_iscsi_firewall_zone }}" + source: "{{ item }}" + permanent: true + immediate: true + state: enabled + with_items: "{{ public_network.split(',') }}" + when: + - iscsi_gw_group_name is defined + - iscsi_gw_group_name in group_names + + - name: open iscsi target ports + firewalld: + port: "3260/tcp" + zone: "{{ ceph_iscsi_firewall_zone }}" + permanent: true + immediate: true + state: enabled + when: + - iscsi_gw_group_name is defined + - iscsi_gw_group_name in group_names + + - name: open iscsi api ports + firewalld: + port: "{{ api_port | default(5000) }}/tcp" + zone: "{{ ceph_iscsi_firewall_zone }}" + permanent: true + immediate: true + state: enabled + when: + - iscsi_gw_group_name is defined + - iscsi_gw_group_name in group_names + + - name: open iscsi/prometheus port + firewalld: + port: "9287/tcp" + zone: "{{ ceph_iscsi_firewall_zone }}" + permanent: true + immediate: true + state: enabled + when: + - iscsi_gw_group_name is defined + - iscsi_gw_group_name in group_names + + - name: open dashboard ports + include_tasks: dashboard_firewall.yml + when: dashboard_enabled | bool + + - name: open ceph networks on haproxy + firewalld: + zone: "{{ ceph_rgwloadbalancer_firewall_zone }}" + source: "{{ item }}" + permanent: true + immediate: true + state: enabled + with_items: "{{ public_network.split(',') }}" + when: + - rgwloadbalancer_group_name is defined + - rgwloadbalancer_group_name in group_names + + - name: open haproxy ports + firewalld: + port: "{{ haproxy_frontend_port | default(80) }}/tcp" + zone: "{{ ceph_rgwloadbalancer_firewall_zone }}" + permanent: true + immediate: true + state: enabled + when: + - rgwloadbalancer_group_name is defined + - rgwloadbalancer_group_name in group_names + + - name: add rich rule for keepalived vrrp + firewalld: + rich_rule: 'rule protocol value="vrrp" accept' + permanent: true + immediate: true + state: enabled + when: + - rgwloadbalancer_group_name is defined + - rgwloadbalancer_group_name in group_names