tseed
/
ansible_qemu_ceph_xcat_testbench
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ansible_qemu_ceph_xcat_test.../cluster/roles/firewalld/README.md

3.5 KiB
Raw Blame History

Role Name

This role configures firewalld.

Requirements

The role handles overlay configuration merged from inventory/group_vars/firewalld.yml. To merge configurations there is a dependency on the merge_vars role to facilitate deep merging of dictionaries with nested lists, the merge vars role depends on 3rd party plugin ansible_merge_vars.

Role Variables

This role accepts custom configuration from inventory/group_vars/firewalld.yml. As the role creates dynamic firewall rulesets read the comments in the following files to understand the behaviour.

  • firewalld/defaults/main.yml
  • inventory/group_vars/firewalld.yml (as listed below)

An example of custom rulesets injected at inventory/group_vars/firewalld.yml follows:

# This is an example to demonstrate
# - behaviour of the role
# - how to add overlay/merged custom configuration items to group_vars inventory/group_vars/firewalld.xml

firewalld:
  enable: true

# create new ruleset
# - each xcat_network with a corresponding entry in inventroy/networks.yml will have an ipset automatically generated
# - each service with an xcat_network entry will assign the service to a zone of that name, the zone accepts ingress from the corresponding ipset
# - xcat_groups will assign the ruleset to hosts in groups
# 
# this ruleset applies inbound ftp to cluster and infiniband zones on hosts in groups all/compute/slurm/ansible
  firewalld_services:
    - name: ftp
      short: "FTP"
      description: "FTP service"
      port:
        - port: 21
          protocol: tcp
      xcat_groups:
        - compute
        - all
        - slurm
        - ansible
      xcat_networks:
        - cluster
        - infiniband

# create new ruleset with a custom zone        
# - the xcat_networks entry zabbix is not present in inventory/networks.yml, a new zone zabbix will be created
# - the zone requires an ipset named zabbix to add an ingress source
    - name: zabbix
      short: "Zabbix"
      description: "Zabbix Ports"
      port:
        - port: 10050
          protocol: tcp
        - port: 10051
          protocol: tcp
      xcat_groups:
        - all
      xcat_networks:
        - zabbix

# create new ipset   
# - this ipset is for the corresponding auto-generated zabbix zone required by the zabbix service(ruleset)
  firewalld_ipsets:
    zabbix:
      short: zabbix
      description: zabbix ipset
      type: 'hash:ip'
      targets:
        - 172.22.1.220/32
        # - 172.22.1.0/24
        # - 10.0.10.0/16

# create new zone
# - this zone example has an embedded ruleset to allow ANY inbound from IP range, no service or ipset is required
  firewalld_zones:
    - name: mgt
      short: "MGT"
      description: "management host"
      target: "ACCEPT"
      source:
        - address: 172.22.1.220/32

    # network <-> network allow all rule
    # - ipset cluster has a corresponding inventory/group_vars/network.yml entry and is thus auto generated and populated with source address range
    # - ipsets can only be bound to a single zone, to use this format of rule, any service with a 'cluster' entry in 'xcat_networks:' list requires 'cluster' to be removed.
    #
    # - name: cluster2cluster
    #   short: "cluster2cluster"
    #   description: "allow ingress from cluster network"
    #   target: "ACCEPT"
    #   source:
    #     - ipset: cluster

License

BSD

Author Information

An optional section for the role authors to include contact information, or a website (HTML is not allowed).