From: Guillaume Abrioux Date: Tue, 9 Oct 2018 17:38:51 +0000 (-0400) Subject: infra: add firewall configuration for containerized deployment X-Git-Tag: v3.2.0beta4~2 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=f8a7ffb08517be9789dd2487040455c798d81e38;p=ceph-ansible.git infra: add firewall configuration for containerized deployment firewalld is available on atomic so there is no reason to not apply firewall configuration. Signed-off-by: Guillaume Abrioux --- diff --git a/roles/ceph-infra/tasks/configure_firewall_rpm.yml b/roles/ceph-infra/tasks/configure_firewall_rpm.yml deleted file mode 100644 index 301c67444..000000000 --- a/roles/ceph-infra/tasks/configure_firewall_rpm.yml +++ /dev/null @@ -1,185 +0,0 @@ ---- -- name: check firewalld installation on redhat or suse - command: rpm -q firewalld - args: - warn: no - register: firewalld_pkg_query - ignore_errors: true - check_mode: no - changed_when: false - tags: - - firewall - -- name: start firewalld - service: - name: firewalld - state: started - enabled: yes - when: - - firewalld_pkg_query.rc == 0 - -- name: open monitor ports - firewalld: - service: ceph-mon - zone: "{{ ceph_mon_firewall_zone }}" - source: "{{ public_network }}" - permanent: true - immediate: false # if true then fails in case firewalld is stopped - state: enabled - notify: restart firewalld - when: - - mon_group_name is defined - - mon_group_name in group_names - - firewalld_pkg_query.rc == 0 - tags: - - firewall - -- name: open manager ports - firewalld: - service: ceph - zone: "{{ ceph_mgr_firewall_zone }}" - source: "{{ public_network }}" - permanent: true - immediate: false # if true then fails in case firewalld is stopped - state: enabled - notify: restart firewalld - when: - - ceph_release_num[ceph_release] >= ceph_release_num.luminous - - mgr_group_name is defined - - mgr_group_name in group_names - - firewalld_pkg_query.rc == 0 - tags: - - firewall - -- name: open osd ports - firewalld: - service: ceph - zone: "{{ ceph_osd_firewall_zone }}" - source: "{{ item }}" - permanent: true - immediate: false # if true then fails in case firewalld is stopped - state: enabled - with_items: - - "{{ public_network }}" - - "{{ cluster_network }}" - notify: restart firewalld - when: - - osd_group_name is defined - - osd_group_name in group_names - - firewalld_pkg_query.rc == 0 - tags: - - firewall - -- name: open rgw ports - firewalld: - port: "{{ radosgw_frontend_port }}/tcp" - zone: "{{ ceph_rgw_firewall_zone }}" - source: "{{ public_network }}" - permanent: true - immediate: false # if true then fails in case firewalld is stopped - state: enabled - notify: restart firewalld - when: - - rgw_group_name is defined - - rgw_group_name in group_names - - firewalld_pkg_query.rc == 0 - tags: - - firewall - -- name: open mds ports - firewalld: - service: ceph - zone: "{{ ceph_mds_firewall_zone }}" - source: "{{ public_network }}" - permanent: true - immediate: false # if true then fails in case firewalld is stopped - state: enabled - notify: restart firewalld - when: - - mds_group_name is defined - - mds_group_name in group_names - - firewalld_pkg_query.rc == 0 - tags: - - firewall - -- name: open nfs ports - firewalld: - service: nfs - zone: "{{ ceph_nfs_firewall_zone }}" - source: "{{ public_network }}" - permanent: true - immediate: false # if true then fails in case firewalld is stopped - state: enabled - notify: restart firewalld - when: - - nfs_group_name is defined - - nfs_group_name in group_names - - firewalld_pkg_query.rc == 0 - tags: - - firewall - -- name: open nfs ports (portmapper) - firewalld: - port: "111/tcp" - zone: "{{ ceph_nfs_firewall_zone }}" - source: "{{ public_network }}" - permanent: true - immediate: false # if true then fails in case firewalld is stopped - state: enabled - notify: restart firewalld - when: - - nfs_group_name is defined - - nfs_group_name in group_names - - firewalld_pkg_query.rc == 0 - tags: - - firewall - -- name: open restapi ports - firewalld: - port: "{{ restapi_port }}/tcp" - zone: "{{ ceph_restapi_firewall_zone }}" - source: "{{ public_network }}" - permanent: true - immediate: false # if true then fails in case firewalld is stopped - state: enabled - notify: restart firewalld - when: - - restapi_group_name is defined - - restapi_group_name in group_names - - firewalld_pkg_query.rc == 0 - tags: - - firewall - -- name: open rbdmirror ports - firewalld: - service: ceph - zone: "{{ ceph_rbdmirror_firewall_zone }}" - source: "{{ public_network }}" - permanent: true - immediate: false # if true then fails in case firewalld is stopped - state: enabled - notify: restart firewalld - when: - - rbdmirror_group_name is defined - - rbdmirror_group_name in group_names - - firewalld_pkg_query.rc == 0 - tags: - - firewall - -- name: open iscsi ports - firewalld: - port: "5001/tcp" - zone: "{{ ceph_iscsi_firewall_zone }}" - source: "{{ public_network }}" - permanent: true - immediate: false # if true then fails in case firewalld is stopped - state: enabled - notify: restart firewalld - when: - - iscsi_group_name is defined - - iscsi_group_name in group_names - - firewalld_pkg_query.rc == 0 - tags: - - firewall - -- meta: flush_handlers diff --git a/roles/ceph-infra/tasks/configure_firewallyml b/roles/ceph-infra/tasks/configure_firewallyml new file mode 100644 index 000000000..c0e41d823 --- /dev/null +++ b/roles/ceph-infra/tasks/configure_firewallyml @@ -0,0 +1,189 @@ +--- +- name: check firewalld installation on redhat or suse + command: rpm -q firewalld + args: + warn: no + register: firewalld_pkg_query + ignore_errors: true + check_mode: no + changed_when: false + tags: + - firewall + when: + - not containerized_deployment + +- name: start firewalld + service: + name: firewalld + state: started + enabled: yes + when: + - not firewalld_pkg_query.skipped + - firewalld_pkg_query.rc == 0 + or is_atomic + +- name: open monitor ports + firewalld: + service: ceph-mon + zone: "{{ ceph_mon_firewall_zone }}" + source: "{{ public_network }}" + permanent: true + immediate: false # if true then fails in case firewalld is stopped + state: enabled + notify: restart firewalld + when: + - mon_group_name is defined + - mon_group_name in group_names + - firewalld_pkg_query.rc == 0 + tags: + - firewall + +- name: open manager ports + firewalld: + service: ceph + zone: "{{ ceph_mgr_firewall_zone }}" + source: "{{ public_network }}" + permanent: true + immediate: false # if true then fails in case firewalld is stopped + state: enabled + notify: restart firewalld + when: + - ceph_release_num[ceph_release] >= ceph_release_num.luminous + - mgr_group_name is defined + - mgr_group_name in group_names + - firewalld_pkg_query.rc == 0 + tags: + - firewall + +- name: open osd ports + firewalld: + service: ceph + zone: "{{ ceph_osd_firewall_zone }}" + source: "{{ item }}" + permanent: true + immediate: false # if true then fails in case firewalld is stopped + state: enabled + with_items: + - "{{ public_network }}" + - "{{ cluster_network }}" + notify: restart firewalld + when: + - osd_group_name is defined + - osd_group_name in group_names + - firewalld_pkg_query.rc == 0 + tags: + - firewall + +- name: open rgw ports + firewalld: + port: "{{ radosgw_frontend_port }}/tcp" + zone: "{{ ceph_rgw_firewall_zone }}" + source: "{{ public_network }}" + permanent: true + immediate: false # if true then fails in case firewalld is stopped + state: enabled + notify: restart firewalld + when: + - rgw_group_name is defined + - rgw_group_name in group_names + - firewalld_pkg_query.rc == 0 + tags: + - firewall + +- name: open mds ports + firewalld: + service: ceph + zone: "{{ ceph_mds_firewall_zone }}" + source: "{{ public_network }}" + permanent: true + immediate: false # if true then fails in case firewalld is stopped + state: enabled + notify: restart firewalld + when: + - mds_group_name is defined + - mds_group_name in group_names + - firewalld_pkg_query.rc == 0 + tags: + - firewall + +- name: open nfs ports + firewalld: + service: nfs + zone: "{{ ceph_nfs_firewall_zone }}" + source: "{{ public_network }}" + permanent: true + immediate: false # if true then fails in case firewalld is stopped + state: enabled + notify: restart firewalld + when: + - nfs_group_name is defined + - nfs_group_name in group_names + - firewalld_pkg_query.rc == 0 + tags: + - firewall + +- name: open nfs ports (portmapper) + firewalld: + port: "111/tcp" + zone: "{{ ceph_nfs_firewall_zone }}" + source: "{{ public_network }}" + permanent: true + immediate: false # if true then fails in case firewalld is stopped + state: enabled + notify: restart firewalld + when: + - nfs_group_name is defined + - nfs_group_name in group_names + - firewalld_pkg_query.rc == 0 + tags: + - firewall + +- name: open restapi ports + firewalld: + port: "{{ restapi_port }}/tcp" + zone: "{{ ceph_restapi_firewall_zone }}" + source: "{{ public_network }}" + permanent: true + immediate: false # if true then fails in case firewalld is stopped + state: enabled + notify: restart firewalld + when: + - restapi_group_name is defined + - restapi_group_name in group_names + - firewalld_pkg_query.rc == 0 + tags: + - firewall + +- name: open rbdmirror ports + firewalld: + service: ceph + zone: "{{ ceph_rbdmirror_firewall_zone }}" + source: "{{ public_network }}" + permanent: true + immediate: false # if true then fails in case firewalld is stopped + state: enabled + notify: restart firewalld + when: + - rbdmirror_group_name is defined + - rbdmirror_group_name in group_names + - firewalld_pkg_query.rc == 0 + tags: + - firewall + +- name: open iscsi ports + firewalld: + port: "5001/tcp" + zone: "{{ ceph_iscsi_firewall_zone }}" + source: "{{ public_network }}" + permanent: true + immediate: false # if true then fails in case firewalld is stopped + state: enabled + notify: restart firewalld + when: + - iscsi_group_name is defined + - iscsi_group_name in group_names + - firewalld_pkg_query.rc == 0 + tags: + - firewall + +- meta: flush_handlers diff --git a/roles/ceph-infra/tasks/main.yml b/roles/ceph-infra/tasks/main.yml index 418c257b6..af5fd6fcd 100644 --- a/roles/ceph-infra/tasks/main.yml +++ b/roles/ceph-infra/tasks/main.yml @@ -1,6 +1,6 @@ --- -- name: include_tasks configure_firewall_rpm.yml - include_tasks: configure_firewall_rpm.yml +- name: include_tasks configure_firewall.yml + include_tasks: configure_firewall.yml when: - configure_firewall - ansible_os_family in ['RedHat', 'Suse'] @@ -15,4 +15,4 @@ include_tasks: "ntp_rpm.yml" when: - ansible_os_family in ['RedHat', 'Suse'] - - ntp_service_enabled \ No newline at end of file + - ntp_service_enabled diff --git a/site-docker.yml.sample b/site-docker.yml.sample index cba5cd896..ebf6927cc 100644 --- a/site-docker.yml.sample +++ b/site-docker.yml.sample @@ -54,6 +54,7 @@ - role: ceph-defaults tags: [with_pkg, fetch_container_image] - role: ceph-validate + - role: ceph-infra - role: ceph-handler - role: ceph-docker-common tags: [with_pkg, fetch_container_image]