From 6a5e0da30d25a13275a3ba5555bfa89da173199f Mon Sep 17 00:00:00 2001
From: Eduard Egorov <eduard.egorov@icl-services.com>
Date: Fri, 17 Nov 2017 12:32:48 +0000
Subject: [PATCH] firewall: configure firewalld if it's already installed on
 the host (#2192).

Signed-off-by: Eduard Egorov <eduard.egorov@icl-services.com>
---
 group_vars/all.yml.sample                     |  5 ++
 group_vars/rhcs.yml.sample                    |  5 ++
 roles/ceph-common/handlers/main.yml           |  6 ++
 roles/ceph-common/tasks/main.yml              |  7 +++
 .../tasks/misc/configure_firewall.yml         | 57 +++++++++++++++++++
 roles/ceph-defaults/defaults/main.yml         |  5 ++
 6 files changed, 85 insertions(+)
 create mode 100644 roles/ceph-common/handlers/main.yml
 create mode 100644 roles/ceph-common/tasks/misc/configure_firewall.yml

diff --git a/group_vars/all.yml.sample b/group_vars/all.yml.sample
index 6b42ea21a..3871dfd0d 100644
--- a/group_vars/all.yml.sample
+++ b/group_vars/all.yml.sample
@@ -60,6 +60,11 @@ dummy:
 # want to set this to False to skip those checks.
 #check_firewall: False
 
+# Note: this task will only configure pre-installed firewall
+#configure_firewall: False
+#ceph_mon_firewall_zone: dmz
+#ceph_osd_firewall_zone: dmz
+#ceph_rgw_firewall_zone: dmz
 
 ############
 # PACKAGES #
diff --git a/group_vars/rhcs.yml.sample b/group_vars/rhcs.yml.sample
index 76de30f30..3ec464af5 100644
--- a/group_vars/rhcs.yml.sample
+++ b/group_vars/rhcs.yml.sample
@@ -60,6 +60,11 @@ fetch_directory: ~/ceph-ansible-keys
 # want to set this to False to skip those checks.
 #check_firewall: False
 
+# Note: this task will only configure pre-installed firewall
+#configure_firewall: False
+#ceph_mon_firewall_zone: dmz
+#ceph_osd_firewall_zone: dmz
+#ceph_rgw_firewall_zone: dmz
 
 ############
 # PACKAGES #
diff --git a/roles/ceph-common/handlers/main.yml b/roles/ceph-common/handlers/main.yml
new file mode 100644
index 000000000..5a9d52410
--- /dev/null
+++ b/roles/ceph-common/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: restart firewalld
+  service:
+    name: firewalld
+    state: restarted
+    enabled: yes
diff --git a/roles/ceph-common/tasks/main.yml b/roles/ceph-common/tasks/main.yml
index 5aee03eb0..5acb41a3d 100644
--- a/roles/ceph-common/tasks/main.yml
+++ b/roles/ceph-common/tasks/main.yml
@@ -12,6 +12,13 @@
   # Hard code this so we will skip the entire file instead of individual tasks (Default isn't Consistent)
   static: False
 
+- name: include misc/configure_firewall.yml
+  include: misc/configure_firewall.yml
+  when:
+    - configure_firewall
+  # Hard code this so we will skip the entire file instead of individual tasks (Default isn't Consistent)
+  static: False
+
 - name: include misc/system_tuning.yml
   include: misc/system_tuning.yml
   when:
diff --git a/roles/ceph-common/tasks/misc/configure_firewall.yml b/roles/ceph-common/tasks/misc/configure_firewall.yml
new file mode 100644
index 000000000..4b16687c7
--- /dev/null
+++ b/roles/ceph-common/tasks/misc/configure_firewall.yml
@@ -0,0 +1,57 @@
+---
+- name: check firewalld installation on redhat
+  command: rpm -q firewalld
+  register: firewalld
+  ignore_errors: true
+  always_run: true
+  changed_when: false
+  when: ansible_os_family == 'RedHat'
+  tags:
+    - firewall
+
+- name: open monitor ports
+  firewalld:
+    service: ceph-mon
+    zone: "{{ ceph_mon_firewall_zone }}"
+    permanent: true
+    immediate: false # if true then fails in case firewalld is stopped
+    state: enabled
+  notify: restart firewalld
+  when:
+    - mon_group_name is defined
+    - mon_group_name in group_names
+    - firewalld.rc == 0
+  tags:
+    - firewall
+
+- name: open osd ports
+  firewalld:
+    service: ceph
+    zone: "{{ ceph_osd_firewall_zone }}"
+    permanent: true
+    immediate: false # if true then fails in case firewalld is stopped
+    state: enabled
+  notify: restart firewalld
+  when:
+    - osd_group_name is defined
+    - osd_group_name in group_names
+    - firewalld.rc == 0
+  tags:
+    - firewall
+
+- name: open rgw ports
+  firewalld:
+    port: "{{ radosgw_civetweb_port }}/tcp"
+    zone: "{{ ceph_rgw_firewall_zone }}"
+    permanent: true
+    immediate: false # if true then fails in case firewalld is stopped
+    state: enabled
+  notify: restart firewalld
+  when:
+    - rgw_group_name is defined
+    - rgw_group_name in group_names
+    - firewalld.rc == 0
+  tags:
+    - firewall
+
+- meta: flush_handlers
diff --git a/roles/ceph-defaults/defaults/main.yml b/roles/ceph-defaults/defaults/main.yml
index ec2fcae0b..3d19ea2b0 100644
--- a/roles/ceph-defaults/defaults/main.yml
+++ b/roles/ceph-defaults/defaults/main.yml
@@ -52,6 +52,11 @@ mgr_group_name: mgrs
 # want to set this to False to skip those checks.
 check_firewall: False
 
+# Note: this task will only configure pre-installed firewall
+configure_firewall: False
+ceph_mon_firewall_zone: dmz
+ceph_osd_firewall_zone: dmz
+ceph_rgw_firewall_zone: dmz
 
 ############
 # PACKAGES #
-- 
2.39.5