ansible_qemu_ceph_xcat_test.../cluster/roles/firewalld/README.md

Role Name
=========

This role configures firewalld.

Requirements
------------

The role handles overlay configuration merged from inventory/group_vars/firewalld.yml.
To merge configurations there is a dependency on the merge_vars role to facilitate deep merging of dictionaries with nested lists, the merge vars role depends on 3rd party plugin ansible_merge_vars.

Role Variables
--------------

This role accepts custom configuration from inventory/group_vars/firewalld.yml.
As the role creates dynamic firewall rulesets read the comments in the following files to understand the behaviour.
- firewalld/defaults/main.yml
- inventory/group_vars/firewalld.yml (as listed below)

An example of custom rulesets injected at inventory/group_vars/firewalld.yml follows:

```yml
# This is an example to demonstrate
# - behaviour of the role
# - how to add overlay/merged custom configuration items to group_vars inventory/group_vars/firewalld.xml

firewalld:
  enable: true

# create new ruleset
# - each xcat_network with a corresponding entry in inventroy/networks.yml will have an ipset automatically generated
# - each service with an xcat_network entry will assign the service to a zone of that name, the zone accepts ingress from the corresponding ipset
# - xcat_groups will assign the ruleset to hosts in groups
# 
# this ruleset applies inbound ftp to cluster and infiniband zones on hosts in groups all/compute/slurm/ansible
  firewalld_services:
    - name: ftp
      short: "FTP"
      description: "FTP service"
      port:
        - port: 21
          protocol: tcp
      xcat_groups:
        - compute
        - all
        - slurm
        - ansible
      xcat_networks:
        - cluster
        - infiniband

# create new ruleset with a custom zone        
# - the xcat_networks entry zabbix is not present in inventory/networks.yml, a new zone zabbix will be created
# - the zone requires an ipset named zabbix to add an ingress source
    - name: zabbix
      short: "Zabbix"
      description: "Zabbix Ports"
      port:
        - port: 10050
          protocol: tcp
        - port: 10051
          protocol: tcp
      xcat_groups:
        - all
      xcat_networks:
        - zabbix

# create new ipset   
# - this ipset is for the corresponding auto-generated zabbix zone required by the zabbix service(ruleset)
  firewalld_ipsets:
    zabbix:
      short: zabbix
      description: zabbix ipset
      type: 'hash:ip'
      targets:
        - 172.22.1.220/32
        # - 172.22.1.0/24
        # - 10.0.10.0/16

# create new zone
# - this zone example has an embedded ruleset to allow ANY inbound from IP range, no service or ipset is required
  firewalld_zones:
    - name: mgt
      short: "MGT"
      description: "management host"
      target: "ACCEPT"
      source:
        - address: 172.22.1.220/32

    # network <-> network allow all rule
    # - ipset cluster has a corresponding inventory/group_vars/network.yml entry and is thus auto generated and populated with source address range
    # - ipsets can only be bound to a single zone, to use this format of rule, any service with a 'cluster' entry in 'xcat_networks:' list requires 'cluster' to be removed.
    #
    # - name: cluster2cluster
    #   short: "cluster2cluster"
    #   description: "allow ingress from cluster network"
    #   target: "ACCEPT"
    #   source:
    #     - ipset: cluster
```

License
-------

BSD

Author Information
------------------

An optional section for the role authors to include contact information, or a website (HTML is not allowed).
initial commit 2022-11-30 12:05:03 +00:00			`Role Name`
			`=========`

			`This role configures firewalld.`

			`Requirements`
			`------------`

			`The role handles overlay configuration merged from inventory/group_vars/firewalld.yml.`
			`To merge configurations there is a dependency on the merge_vars role to facilitate deep merging of dictionaries with nested lists, the merge vars role depends on 3rd party plugin ansible_merge_vars.`

			`Role Variables`
			`--------------`

			`This role accepts custom configuration from inventory/group_vars/firewalld.yml.`
			`As the role creates dynamic firewall rulesets read the comments in the following files to understand the behaviour.`
			`- firewalld/defaults/main.yml`
			`- inventory/group_vars/firewalld.yml (as listed below)`

			`An example of custom rulesets injected at inventory/group_vars/firewalld.yml follows:`

			```yml
			`# This is an example to demonstrate`
			`# - behaviour of the role`
			`# - how to add overlay/merged custom configuration items to group_vars inventory/group_vars/firewalld.xml`

			`firewalld:`
			`enable: true`

			`# create new ruleset`
			`# - each xcat_network with a corresponding entry in inventroy/networks.yml will have an ipset automatically generated`
			`# - each service with an xcat_network entry will assign the service to a zone of that name, the zone accepts ingress from the corresponding ipset`
			`# - xcat_groups will assign the ruleset to hosts in groups`
			`#`
			`# this ruleset applies inbound ftp to cluster and infiniband zones on hosts in groups all/compute/slurm/ansible`
			`firewalld_services:`
			`- name: ftp`
			`short: "FTP"`
			`description: "FTP service"`
			`port:`
			`- port: 21`
			`protocol: tcp`
			`xcat_groups:`
			`- compute`
			`- all`
			`- slurm`
			`- ansible`
			`xcat_networks:`
			`- cluster`
			`- infiniband`

			`# create new ruleset with a custom zone`
			`# - the xcat_networks entry zabbix is not present in inventory/networks.yml, a new zone zabbix will be created`
			`# - the zone requires an ipset named zabbix to add an ingress source`
			`- name: zabbix`
			`short: "Zabbix"`
			`description: "Zabbix Ports"`
			`port:`
			`- port: 10050`
			`protocol: tcp`
			`- port: 10051`
			`protocol: tcp`
			`xcat_groups:`
			`- all`
			`xcat_networks:`
			`- zabbix`

			`# create new ipset`
			`# - this ipset is for the corresponding auto-generated zabbix zone required by the zabbix service(ruleset)`
			`firewalld_ipsets:`
			`zabbix:`
			`short: zabbix`
			`description: zabbix ipset`
			`type: 'hash:ip'`
			`targets:`
			`- 172.22.1.220/32`
			`# - 172.22.1.0/24`
			`# - 10.0.10.0/16`

			`# create new zone`
			`# - this zone example has an embedded ruleset to allow ANY inbound from IP range, no service or ipset is required`
			`firewalld_zones:`
			`- name: mgt`
			`short: "MGT"`
			`description: "management host"`
			`target: "ACCEPT"`
			`source:`
			`- address: 172.22.1.220/32`

			`# network <-> network allow all rule`
			`# - ipset cluster has a corresponding inventory/group_vars/network.yml entry and is thus auto generated and populated with source address range`
			`# - ipsets can only be bound to a single zone, to use this format of rule, any service with a 'cluster' entry in 'xcat_networks:' list requires 'cluster' to be removed.`
			`#`
			`# - name: cluster2cluster`
			`# short: "cluster2cluster"`
			`# description: "allow ingress from cluster network"`
			`# target: "ACCEPT"`
			`# source:`
			`# - ipset: cluster`
			```

			`License`
			`-------`

			`BSD`

			`Author Information`
			`------------------`

			`An optional section for the role authors to include contact information, or a website (HTML is not allowed).`