Fix firewall variables, remove minor lines

* Apply @akrzos fix for firewall variabilization, make firewall register values a static string so port values are truly variablized. * Remove one small, unneeded section doing an unecessary lookup for firewall method since we run this earlier on. Change-Id: Ia29781072d1babc1d71b71345ceb798356c219f5
2016-09-09 17:08:36 +01:00 · 2016-09-09 17:08:36 +01:00 · 5095ffad73
parent 4832550256
commit 5095ffad73
7 changed files with 46 additions and 67 deletions
--- a/ansible/install/roles/connmon/tasks/main.yml
+++ b/ansible/install/roles/connmon/tasks/main.yml
@ -65,7 +65,7 @@
 - name: (connmon) Determine if TCP/{{connmon_port}} is already active
  shell: firewall-cmd --list-ports | egrep -q "^{{connmon_port}}/tcp"
  ignore_errors: true
-  register: firewalld_tcp{{connmon_port}}_exists
+  register: firewalld_connmon_port_exists
  no_log: true
  tags:
    # Skip ANSIBLE0012 Commands should not change things if nothing needs doing
@ -80,15 +80,15 @@
    - firewall-cmd --reload
  ignore_errors: true
  become: true
-  when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp{{connmon_port}}_exists.rc != 0
+  when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_connmon_port_exists.rc != 0

 # iptables-services
 - name: (connmon) check firewall rules for TCP/{{connmon_port}} (iptables-services)
  shell: grep "dport {{connmon_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
  ignore_errors: true
  become: true
-  register: iptables_tcp5800_exists
-  failed_when: iptables_tcp{{connmon_port}}_exists == 127
+  register: iptables_connmon_port_exists
+  failed_when: iptables_connmon_port_exists == 127
  no_log: true
  tags:
    # Skip ANSIBLE0012 Commands should not change things if nothing needs doing
@ -103,7 +103,7 @@
    insertbefore: '-A INPUT -i lo -j ACCEPT'
    backup: yes
  become: true
-  when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp5800_exists.stdout|int == 0
+  when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_connmon_port_exists.stdout|int == 0
  register: iptables_needs_restart

 - name: (connmon) Restart iptables-services for TCP/{{connmon_port}} (iptables-services)
--- a/ansible/install/roles/elasticsearch/tasks/main.yml
+++ b/ansible/install/roles/elasticsearch/tasks/main.yml
@ -66,7 +66,7 @@
 - name: Determine if TCP/{{es_local_port}} is already active
  shell: firewall-cmd --list-ports | egrep -q "^{{es_local_port}}/tcp"
  ignore_errors: true
-  register: firewalld_tcp9200_exists
+  register: firewalld_es_local_port_exists
  no_log: true
  when: es_listen_external

@ -78,14 +78,14 @@
    - firewall-cmd --reload
  ignore_errors: true
  become: true
-  when: es_listen_external and firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp9200_exists.rc != 0
+  when: es_listen_external and firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_es_local_port_exists.rc != 0

 # iptables-services
 - name: check firewall rules for TCP/{{es_local_port}} (iptables-services)
  shell: grep "dport {{es_local_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
  ignore_errors: true
-  register: iptables_tcp9200_exists
-  failed_when: iptables_tcp9200_exists == 127
+  register: iptables_es_local_port_exists
+  failed_when: iptables_es_local_port_exists == 127
  no_log: true
  when: es_listen_external

@ -96,7 +96,7 @@
    regexp: '^INPUT -i lo -j ACCEPT'
    insertbefore: '-A INPUT -i lo -j ACCEPT'
    backup: yes
-  when: es_listen_external and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp9200_exists.stdout|int == 0
+  when: es_listen_external and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_es_local_port_exists.stdout|int == 0
  register: iptables_needs_restart

 - name: Restart iptables-services for TCP/{{es_local_port}} (iptables-services)
--- a/ansible/install/roles/fluentd/tasks/main.yml
+++ b/ansible/install/roles/fluentd/tasks/main.yml
@ -63,7 +63,7 @@
 - name: Determine if TCP/{{fluentd_syslog_port}} is already active
  shell: firewall-cmd --list-ports | egrep -q "^{{fluentd_syslog_port}}/tcp"
  ignore_errors: true
-  register: firewalld_tcp42185_exists
+  register: firewalld_fluentd_syslog_port_exists
  no_log: true
  tags:
    # Skip ANSIBLE0012 Commands should not change things if nothing needs doing
@ -78,14 +78,14 @@
    - firewall-cmd --reload
  ignore_errors: true
  become: true
-  when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp42185_exists.rc != 0
+  when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_fluentd_syslog_port_exists.rc != 0

 # iptables-services
 - name: check firewall rules for TCP/{{fluentd_syslog_port}} (iptables-services)
  shell: grep "dport {{fluentd_syslog_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
  ignore_errors: true
-  register: iptables_tcp42185_exists
-  failed_when: iptables_tcp42185_exists == 127
+  register: iptables_fluentd_syslog_port_exists
+  failed_when: iptables_fluentd_syslog_port_exists == 127
  no_log: true
  tags:
    # Skip ANSIBLE0012 Commands should not change things if nothing needs doing
@ -99,7 +99,7 @@
    regexp: '^INPUT -i lo -j ACCEPT'
    insertbefore: '-A INPUT -i lo -j ACCEPT'
    backup: yes
-  when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp42185_exists.stdout|int == 0
+  when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_fluentd_syslog_port_exists.stdout|int == 0
  register: iptables_needs_restart

 - name: Restart iptables-services for TCP/{{fluentd_syslog_port}} (iptables-services)
@ -114,7 +114,7 @@
 - name: Determine if TCP/{{fluentd_http_port}} is already active
  shell: firewall-cmd --list-ports | egrep -q "^{{fluentd_http_port}}/tcp"
  ignore_errors: true
-  register: firewalld_tcp9919_exists
+  register: firewalld_fluentd_http_port_exists
  no_log: true
  tags:
    # Skip ANSIBLE0012 Commands should not change things if nothing needs doing
@ -129,14 +129,14 @@
    - firewall-cmd --reload
  ignore_errors: true
  become: true
-  when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp9919_exists.rc != 0
+  when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_fluentd_http_port_exists.rc != 0

 # iptables-services
 - name: check firewall rules for TCP/{{fluentd_http_port}} (iptables-services)
  shell: grep "dport {{fluentd_http_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
  ignore_errors: true
-  register: iptables_tcp9919_exists
-  failed_when: iptables_tcp9919_exists == 127
+  register: iptables_fluentd_http_port_exists
+  failed_when: iptables_fluentd_http_port_exists == 127
  no_log: true
  tags:
    # Skip ANSIBLE0012 Commands should not change things if nothing needs doing
@ -150,7 +150,7 @@
    regexp: '^INPUT -i lo -j ACCEPT'
    insertbefore: '-A INPUT -i lo -j ACCEPT'
    backup: yes
-  when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp9919_exists.stdout|int == 0
+  when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_fluentd_http_port_exists.stdout|int == 0
  register: iptables_needs_restart

 - name: Restart iptables-services for TCP/{{fluentd_http_port}} (iptables-services)
--- a/ansible/install/roles/grafana/tasks/main.yml
+++ b/ansible/install/roles/grafana/tasks/main.yml
@ -73,7 +73,7 @@
 - name: (grafana) Determine if TCP/{{grafana_port}} is already active
  shell: firewall-cmd --list-ports | egrep -q "^{{grafana_port}}/tcp"
  ignore_errors: true
-  register: firewalld_tcp{{grafana_port}}_exists
+  register: firewalld_grafana_port_exists
  no_log: true
  tags:
    # Skip ANSIBLE0012] Commands should not change things if nothing needs doing
@ -88,14 +88,14 @@
    - firewall-cmd --reload
  ignore_errors: true
  become: true
-  when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp{{grafana_port}}_exists.rc != 0
+  when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_grafana_port_exists.rc != 0

 # iptables-services
 - name: (grafana) check firewall rules for TCP/{{grafana_port}} (iptables-services)
  shell: grep "dport {{grafana_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
  ignore_errors: true
-  register: iptables_tcp3000_exists
-  failed_when: iptables_tcp{{grafana_port}}_exists == 127
+  register: iptables_grafana_port_exists
+  failed_when: iptables_grafana_port_exists == 127
  no_log: true
  tags:
    # Skip ANSIBLE0012] Commands should not change things if nothing needs doing
@ -109,11 +109,10 @@
    regexp: '^INPUT -i lo -j ACCEPT'
    insertbefore: '-A INPUT -i lo -j ACCEPT'
    backup: yes
-  when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp3000_exists.stdout|int == 0
+  when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_grafana_port_exists.stdout|int == 0
  register: iptables_needs_restart

 - name: (grafana) Restart iptables-services for TCP/{{grafana_port}} (iptables-services)
-  # TODO: replace with systemd module when Ansible 2.2 is the foundation
  command: systemctl restart iptables.service
  ignore_errors: true
  when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
--- a/ansible/install/roles/graphite/tasks/main.yml
+++ b/ansible/install/roles/graphite/tasks/main.yml
@ -63,7 +63,7 @@
 - name: (graphite-web) Determine if TCP/{{graphite_port}} is already active
  shell: firewall-cmd --list-ports | egrep -q "^{{graphite_port}}/tcp"
  ignore_errors: true
-  register: firewalld_tcp{{graphite_port}}_exists
+  register: firewalld_graphite_port_exists
  no_log: true

 # add firewall rule via firewall-cmd
@ -74,14 +74,14 @@
    - firewall-cmd --reload
  ignore_errors: true
  become: true
-  when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp{{graphite_port}}_exists.rc != 0
+  when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_graphite_port_exists.rc != 0

 # iptables-services
 - name: (graphite-web) check firewall rules for TCP/{{graphite_port}} (iptables-services)
  shell: grep "dport {{graphite_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
  ignore_errors: true
-  register: iptables_tcp80_exists
-  failed_when: iptables_tcp{{graphite_port}}_exists == 127
+  register: iptables_graphite_port_exists
+  failed_when: iptables_graphite_port_exists == 127
  no_log: true

 - name: (graphite-web) Add firewall rule for TCP/{{graphite_port}} (iptables-services)
@ -91,7 +91,7 @@
    regexp: '^INPUT -i lo -j ACCEPT'
    insertbefore: '-A INPUT -i lo -j ACCEPT'
    backup: yes
-  when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp80_exists.stdout|int == 0
+  when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_graphite_port_exists.stdout|int == 0
  register: iptables_needs_restart

 - name: (graphite-web) Restart iptables-services for TCP/{{graphite_port}} (iptables-services)
--- a/ansible/install/roles/logstash/tasks/main.yml
+++ b/ansible/install/roles/logstash/tasks/main.yml
@ -131,7 +131,7 @@
 - name: Determine if TCP/{{logstash_syslog_port}} is already active
  shell: firewall-cmd --list-ports | egrep -q "^{{logstash_syslog_port}}/tcp"
  ignore_errors: true
-  register: firewalld_tcp{{logstash_syslog_port}}_exists
+  register: firewalld_logstash_syslog_port_exists
  tags:
    # Skip ANSIBLE0012 Commands should not change things if nothing needs doing
    # Need to validate if port already configured
@ -145,14 +145,14 @@
    - firewall-cmd --reload
  ignore_errors: true
  become: true
-  when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp{{logstash_syslog_port}}_exists.rc != 0
+  when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_logstash_syslog_port_exists.rc != 0

 # iptables-services
 - name: check firewall rules for TCP/{{logstash_syslog_port}} (iptables-services)
  shell: grep "dport {{logstash_syslog_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
  ignore_errors: true
-  register: iptables_tcp5044_exists
-  failed_when: iptables_tcp{{logstash_syslog_port}}_exists == 127
+  register: iptables_logstash_syslog_port_exists
+  failed_when: iptables_logstash_syslog_port_exists == 127
  tags:
    # Skip ANSIBLE0012 Commands should not change things if nothing needs doing
    # Need to validate if port already configured
@ -165,7 +165,7 @@
    regexp: '^INPUT -i lo -j ACCEPT'
    insertbefore: '-A INPUT -i lo -j ACCEPT'
    backup: yes
-  when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp5044_exists.stdout|int == 0
+  when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_logstash_syslog_port_exists.stdout|int == 0
  register: iptables_needs_restart

 - name: Restart iptables-services for TCP/{{logstash_syslog_port}} (iptables-services)
--- a/ansible/install/roles/nginx/tasks/main.yml
+++ b/ansible/install/roles/nginx/tasks/main.yml
@ -34,7 +34,7 @@
  register: nginx_needs_restart

 # deploy basic nginx.conf 8080 vhost
- name: Setup nginx TCP/8080 vhost for SSL certificate
+- name: Setup nginx TCP/{{elk_server_ssl_cert_port}} for SSL certificate retrieval
  template:
    src=nginx.conf.j2
    dest=/etc/nginx/nginx.conf
@ -92,7 +92,7 @@
 - name: Determine if TCP/{{nginx_kibana_port}} is already active
  shell: firewall-cmd --list-ports | egrep -q "^{{nginx_kibana_port}}/tcp"
  ignore_errors: true
-  register: firewalld_tcp80_exists
+  register: firewalld_nginx_kibana_port_exists
  no_log: true
  tags:
    # Skip ANSIBLE0012 Commands should not change things if nothing needs doing
@ -107,14 +107,14 @@
    - firewall-cmd --reload
  ignore_errors: true
  become: true
-  when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp80_exists.rc != 0
+  when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_nginx_kibana_port_exists.rc != 0

 # iptables-services
 - name: check firewall rules for TCP/{{nginx_kibana_port}} (iptables-services)
  shell: grep "dport {{nginx_kibana_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
  ignore_errors: true
-  register: iptables_tcp80_exists
-  failed_when: iptables_tcp80_exists == 127
+  register: iptables_nginx_kibana_port_exists
+  failed_when: iptables_nginx_kibana_port_exists == 127
  no_log: true
  tags:
    # Skip ANSIBLE0012 Commands should not change things if nothing needs doing
@ -128,7 +128,7 @@
    regexp: '^INPUT -i lo -j ACCEPT'
    insertbefore: '-A INPUT -i lo -j ACCEPT'
    backup: yes
-  when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp80_exists.stdout|int == 0
+  when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_nginx_kibana_port_exists.stdout|int == 0
  register: iptables_needs_restart

 - name: Restart iptables-services for TCP/{{nginx_kibana_port}} (iptables-services)
@ -141,30 +141,10 @@
    - skip_ansible_lint

 # Firewalld
- name: Determine if firewalld is in use
-  shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
-  ignore_errors: true
-  register: firewalld_in_use
-  no_log: true
-  tags:
-    # Skip ANSIBLE0012 Commands should not change things if nothing needs doing
-    # Need to check if firewall is active
-    - skip_ansible_lint
-
- name: Determine if firewalld is active
-  shell: systemctl is-active firewalld.service | grep -vq inactive
-  ignore_errors: true
-  register: firewalld_is_active
-  no_log: true
-  tags:
-    # Skip ANSIBLE0012 Commands should not change things if nothing needs doing
-    # Need to check if firewall is active
-    - skip_ansible_lint
-
 - name: Determine if TCP/{{elk_server_ssl_cert_port}} is already active
  shell: firewall-cmd --list-ports | egrep -q "^{{elk_server_ssl_cert_port}}/tcp"
  ignore_errors: true
-  register: firewalld_tcp8080_exists
+  register: firewalld_elk_server_ssl_port_exists
  no_log: true
  tags:
    # Skip ANSIBLE0012 Commands should not change things if nothing needs doing
@ -179,14 +159,14 @@
    - firewall-cmd --reload
  ignore_errors: true
  become: true
-  when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp8080_exists.rc != 0
+  when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_elk_server_ssl_port_exists.rc != 0

 # iptables-services
 - name: check firewall rules for TCP/{{elk_server_ssl_cert_port}} (iptables-services)
  shell: grep "dport {{elk_server_ssl_cert_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
  ignore_errors: true
-  register: iptables_tcp8080_exists
-  failed_when: iptables_tcp8080_exists == 127
+  register: iptables_elk_server_ssl_port_exists
+  failed_when: iptables_elk_server_ssl_port_exists == 127
  no_log: true
  tags:
    # Skip ANSIBLE0012 Commands should not change things if nothing needs doing
@ -200,7 +180,7 @@
    regexp: '^INPUT -i lo -j ACCEPT'
    insertbefore: '-A INPUT -i lo -j ACCEPT'
    backup: yes
-  when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp8080_exists.stdout|int == 0
+  when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_elk_server_ssl_port_exists.stdout|int == 0
  register: iptables_needs_restart

 - name: Restart iptables-services for TCP/{{elk_server_ssl_cert_port}} (iptables-services)