diff --git a/ansible/roles/baremetal/defaults/main.yml b/ansible/roles/baremetal/defaults/main.yml index 8b569b5871..ac11091dbd 100644 --- a/ansible/roles/baremetal/defaults/main.yml +++ b/ansible/roles/baremetal/defaults/main.yml @@ -32,6 +32,9 @@ change_selinux: True selinux_state: "permissive" +# If true, the host firewall service (firewalld or ufw) will be disabled. +disable_firewall: True + docker_storage_driver: "" docker_custom_option: "" docker_custom_config: {} diff --git a/ansible/roles/baremetal/tasks/install.yml b/ansible/roles/baremetal/tasks/install.yml index 27886e665c..adb904370f 100644 --- a/ansible/roles/baremetal/tasks/install.yml +++ b/ansible/roles/baremetal/tasks/install.yml @@ -6,34 +6,36 @@ when: ansible_facts.os_family == 'Debian' # TODO(inc0): Gates don't seem to have ufw executable, check for it instead of ignore errors -- name: Set firewall default policy - become: True - ufw: - state: disabled - policy: allow - when: ansible_facts.os_family == 'Debian' - ignore_errors: yes +- block: + - name: Set firewall default policy + become: True + ufw: + state: disabled + policy: allow + when: ansible_facts.os_family == 'Debian' + ignore_errors: yes -- name: Check if firewalld is installed - command: rpm -q firewalld - register: firewalld_check - changed_when: false - failed_when: firewalld_check.rc > 1 - args: - warn: false - when: ansible_facts.os_family == 'RedHat' + - name: Check if firewalld is installed + command: rpm -q firewalld + register: firewalld_check + changed_when: false + failed_when: firewalld_check.rc > 1 + args: + warn: false + when: ansible_facts.os_family == 'RedHat' -- name: Disable firewalld - become: True - service: - name: "{{ item }}" - enabled: false - state: stopped - with_items: - - firewalld - when: - - ansible_facts.os_family == 'RedHat' - - firewalld_check.rc == 0 + - name: Disable firewalld + become: True + service: + name: "{{ item }}" + enabled: false + state: stopped + with_items: + - firewalld + when: + - ansible_facts.os_family == 'RedHat' + - firewalld_check.rc == 0 + when: disable_firewall | bool # Upgrading docker engine may cause containers to stop. Take a snapshot of the # running containers prior to a potential upgrade of Docker. diff --git a/doc/source/reference/deployment-and-bootstrapping/bootstrap-servers.rst b/doc/source/reference/deployment-and-bootstrapping/bootstrap-servers.rst index cef7e95922..24140eba47 100644 --- a/doc/source/reference/deployment-and-bootstrapping/bootstrap-servers.rst +++ b/doc/source/reference/deployment-and-bootstrapping/bootstrap-servers.rst @@ -204,6 +204,8 @@ will be added to allow all traffic. On Red Hat family systems where firewalld is installed, it will be disabled. +This behaviour can be avoided by setting ``disable_firewall`` to ``false``. + Creation of Python virtual environment ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/releasenotes/notes/disable-firewall-1e1955168c717cb5.yaml b/releasenotes/notes/disable-firewall-1e1955168c717cb5.yaml new file mode 100644 index 0000000000..a9c70313b7 --- /dev/null +++ b/releasenotes/notes/disable-firewall-1e1955168c717cb5.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Adds a new variable, ``disable_firewall``, which defaults to ``true``. If + set to ``false``, then the host firewall will not be disabled during + ``kolla-ansible bootstrap-servers``.