Create our own firewalld zone and use it on real bare metal
Modifying the public zone is questionable, let's use our own zone.
Also let's make sure network_interface actually belongs to it.
Conflicts:
playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml
Change-Id: I63f5fa4845aa8f1c90a0c73dd78deb45aaaa4fd1
(cherry picked from commit 710e0db068
)
This commit is contained in:
parent
2055f04f3f
commit
ac6ec9f99a
|
@ -62,8 +62,15 @@ For the machine that hosts Bifrost you'll need to figure out:
|
|||
|
||||
* The network interface you're going to use for communication between the bare
|
||||
metal machines and the Bifrost services.
|
||||
|
||||
On systems using firewalld (CentOS and RHEL currently), a new zone
|
||||
``bifrost`` will be created, and the network interface will be moved to it.
|
||||
DHCP, PXE and API services will only be added to this zone. If you need any
|
||||
of them available in other zones, you need to configure firewall yourself.
|
||||
|
||||
* Pool of IP addresses for DHCP (must be within the network configured on the
|
||||
chosen network interface).
|
||||
|
||||
* Whether you want the services to use authentication via Keystone_.
|
||||
|
||||
For each machine that is going to be enrolled in the Bare Metal service you'll
|
||||
|
|
|
@ -49,6 +49,8 @@ network_interface: "virbr0"
|
|||
ans_network_interface: "{{ network_interface | replace('-', '_') }}"
|
||||
internal_interface: "{{ hostvars[inventory_hostname]['ansible_' + ans_network_interface]['ipv4'] }}"
|
||||
internal_ip: "{{ internal_interface['address'] }}"
|
||||
# Our own firewalld zone, only applies when testing is false.
|
||||
firewalld_internal_zone: bifrost
|
||||
|
||||
# Normally this would setting would be http in a bifrost installation
|
||||
# without TLS. This setting allows a user to override the setting in case
|
||||
|
|
|
@ -27,23 +27,8 @@
|
|||
enable_venv: true
|
||||
when: lookup('env', 'VENV') | length > 0
|
||||
|
||||
- block:
|
||||
- name: "Ask systemd to reload configuration"
|
||||
systemd:
|
||||
daemon_reload: yes
|
||||
|
||||
- name: "Enable firewalld"
|
||||
service:
|
||||
name: firewalld
|
||||
state: started
|
||||
enabled: yes
|
||||
|
||||
- name: "Disable iptables (if enabled)"
|
||||
service:
|
||||
name: iptables
|
||||
state: stopped
|
||||
enabled: no
|
||||
ignore_errors: true
|
||||
- name: "Setup firewalld"
|
||||
include_tasks: setup_firewalld.yml
|
||||
when: ansible_distribution in ["CentOS", "RedHat"]
|
||||
|
||||
# NOTE(sean-k-mooney) only the RabbitMQ server and MySQL db are started
|
||||
|
@ -358,7 +343,7 @@
|
|||
- name: "Enable services in firewalld"
|
||||
firewalld:
|
||||
service: "{{ item }}"
|
||||
zone: "{{ 'libvirt' if testing | bool else 'public' }}"
|
||||
zone: "{{ 'libvirt' if testing | bool else firewalld_internal_zone }}"
|
||||
state: enabled
|
||||
permanent: yes
|
||||
immediate: yes
|
||||
|
@ -371,7 +356,7 @@
|
|||
- name: "Enable ports in firewalld"
|
||||
firewalld:
|
||||
port: "{{ item }}/tcp"
|
||||
zone: "{{ 'libvirt' if testing | bool else 'public' }}"
|
||||
zone: "{{ 'libvirt' if testing | bool else firewalld_internal_zone }}"
|
||||
state: enabled
|
||||
permanent: yes
|
||||
immediate: yes
|
||||
|
|
|
@ -132,7 +132,7 @@
|
|||
- name: "Inspector - Enable port in firewalld"
|
||||
firewalld:
|
||||
port: "5050/tcp"
|
||||
zone: "{{ 'libvirt' if testing else 'public' }}"
|
||||
zone: "{{ 'libvirt' if testing | bool else firewalld_internal_zone }}"
|
||||
state: enabled
|
||||
permanent: yes
|
||||
immediate: yes
|
||||
|
|
|
@ -22,6 +22,10 @@
|
|||
name: "{{ required_packages }}"
|
||||
state: present
|
||||
|
||||
- name: "Ask systemd to reload configuration"
|
||||
systemd:
|
||||
daemon_reload: yes
|
||||
|
||||
# NOTE(TheJulia) While we don't necessarilly require /opt/stack any longer
|
||||
# and it should already be created by the Ansible setup, we will leave this
|
||||
# here for the time being.
|
||||
|
|
|
@ -0,0 +1,50 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
||||
# implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
---
|
||||
- name: "Enable firewalld"
|
||||
service:
|
||||
name: firewalld
|
||||
state: started
|
||||
enabled: yes
|
||||
|
||||
- name: "Disable iptables (if enabled)"
|
||||
service:
|
||||
name: iptables
|
||||
state: stopped
|
||||
enabled: no
|
||||
ignore_errors: true
|
||||
|
||||
- name: "Create a firewalld zone"
|
||||
firewalld:
|
||||
zone: "{{ firewalld_internal_zone }}"
|
||||
state: present
|
||||
permanent: yes
|
||||
register: new_zone_result
|
||||
when: not testing | bool
|
||||
|
||||
- name: "Reload firewalld if needed"
|
||||
service:
|
||||
name: firewalld
|
||||
state: reloaded
|
||||
when:
|
||||
- new_zone_result is defined
|
||||
- new_zone_result.changed
|
||||
|
||||
- name: "Add the network interface to the new zone"
|
||||
firewalld:
|
||||
zone: "{{ firewalld_internal_zone }}"
|
||||
interface: "{{ network_interface }}"
|
||||
state: enabled
|
||||
permanent: yes
|
||||
immediate: yes
|
||||
when: not testing | bool
|
|
@ -0,0 +1,11 @@
|
|||
---
|
||||
fixes:
|
||||
- |
|
||||
Instead of modifying the ``public`` firewalld zone, creates a new zone
|
||||
``bifrost`` and puts the ``network_interface`` in it. Set
|
||||
``firewalld_internal_zone=public`` to revert to the previous behavior.
|
||||
upgrade:
|
||||
- |
|
||||
Bifrost no longer adds ironic and ironic-inspector endpoints to the public
|
||||
firewalld zone, the operator has to do it explicitly if external access
|
||||
is expected.
|
Loading…
Reference in New Issue