Use the firewall role and the selinux role from the ha_cluster role

- Introduce ha_cluster_manage_firewall to use the firewall role to
  manage the high-availability service and the fence-virt port.
  ha_cluster_manage_firewall is set to true, by default.

- Introduce ha_cluster_manage_selinux to use the selinux role to
  manage the ports in the high-availability service.
  Assign cluster_port_t to the high-availability service ports.
  ha_cluster_manage_selinux is set to true, by default.

- Add the test check task tasks/check_firewall_selinux.yml for
  verify the ports status.

- Add meta/collection-requirements.yml.

README.md

@@ -28,7 +28,31 @@ An Ansible role for managing High Availability Clustering.
 
 boolean, default: `true`
 
-RHEL and CentOS only, enable repositories contaning needed packages
+RHEL and CentOS only, enable repositories containing needed packages
+
+#### `ha_cluster_manage_firewall`
+
+boolean, default: true
+
+Manage the `firewall high-availability service` as well as the `fence-virt port`.
+When `ha_cluster_manage_firewall` is `true`, the `firewall high-availability
+service` and `fence-virt port` are enabled.
+When `ha_cluster_manage_firewall` is `false`, the `firewall high-availability
+service` and `fence-virt port` are disabled.
+
+#### `ha_cluster_manage_selinux`
+
+boolean, default: true
+
+Manage the ports belonging to the `firewall high-availability service` using
+the selinux role.
+When `ha_cluster_manage_selinux` is `true`, the ports belonging to the
+`firewall high-availability service` are associated with the selinux port type
+`cluster_port_t`.
+When `ha_cluster_manage_selinux` is `false`, the ports belonging to the
+`firewall high-availability service` are detached from `cluster_port_t`.
+Please note that ports which are defined in the selinux policy are not affected
+by this variable.
 
 #### `ha_cluster_cluster_present`
 

defaults/main.yml

@@ -48,3 +48,11 @@ ha_cluster_constraints_location: []
 ha_cluster_constraints_colocation: []
 ha_cluster_constraints_order: []
 ha_cluster_constraints_ticket: []
+
+# If true, manage the high-availability service and the fence-virt port
+# using the firewall role.
+ha_cluster_manage_firewall: true
+
+# If true, manage the ports belonging to the high-availability service
+# and the fence-virt using the selinux role.
+ha_cluster_manage_selinux: true

meta/collection-requirements.yml

@@ -0,0 +1,3 @@
+# SPDX-License-Identifier: MIT
+collections:
+  - fedora.linux_system_roles

tasks/firewall.yml

@@ -1,35 +1,15 @@
 # SPDX-License-Identifier: MIT
 ---
-- name: Get services status - detect firewall
-  service_facts:
+- block:
+    - name: Initialize firewall option
+      set_fact:
+        _ha_cluster_firewall:
+          - {'service': 'high-availability', 'state': '{{ _state_value }}' }
 
-- name: Configure firewalld
-  block:
-    - name: Enable service 'high-availability' in firewalld
-      command: firewall-cmd --add-service high-availability
-      when: ansible_facts.services['firewalld.service'].state == 'running'
-      register: __ha_cluster_firewall_cmd
-      failed_when:
-        - __ha_cluster_firewall_cmd.rc != 0
-        - __ha_cluster_firewall_cmd.rc != 11  # already enabled
-
-    - name: Enable service 'high-availability' in firewalld permanent config
-      command: firewall-cmd --permanent --add-service high-availability
-      register: __ha_cluster_firewall_cmd
-      when: ansible_facts.services['firewalld.service'].state == 'running'
-      failed_when:
-        - __ha_cluster_firewall_cmd.rc != 0
-        - __ha_cluster_firewall_cmd.rc != 11  # already enabled
-
-    - name: Enable service 'high-availability' in firewalld offline config
-      command: firewall-offline-cmd --add-service high-availability
-      register: __ha_cluster_firewall_cmd
-      when: ansible_facts.services['firewalld.service'].state != 'running'
-      failed_when:
-        - __ha_cluster_firewall_cmd.rc != 0
-        - __ha_cluster_firewall_cmd.rc != 11  # already enabled
-
-    - name: Enable fence-virt port in firewalld - all options
+    - name: Add firewall option for fence-virt/fence-agents
+      set_fact:
+        _ha_cluster_firewall: "{{ _ha_cluster_firewall |
+            union([{'port': '1229/tcp', 'state': '{{ _state_value }}'}]) }}"
       when:
         - (
             'fence-virt' in ha_cluster_fence_agent_packages
@@ -40,30 +20,12 @@
             or
             'fence-agents-all' in ha_cluster_extra_packages
           )
-      block:
-        - name: Enable fence-virt port in firewalld
-          command: firewall-cmd --add-port 1229/tcp
-          when: ansible_facts.services['firewalld.service'].state == 'running'
-          register: __ha_cluster_firewall_cmd
-          failed_when:
-            - __ha_cluster_firewall_cmd.rc != 0
-            - __ha_cluster_firewall_cmd.rc != 11  # already enabled
-
-        - name: Enable fence-virt port in firewalld permanent config
-          command: firewall-cmd --permanent --add-port 1229/tcp
-          when: ansible_facts.services['firewalld.service'].state == 'running'
-          register: __ha_cluster_firewall_cmd
-          failed_when:
-            - __ha_cluster_firewall_cmd.rc != 0
-            - __ha_cluster_firewall_cmd.rc != 11  # already enabled
-
-        - name: Enable fence-virt port in firewalld offline config
-          command: firewall-offline-cmd --add-port 1229/tcp
-          when: ansible_facts.services['firewalld.service'].state != 'running'
-          register: __ha_cluster_firewall_cmd
-          failed_when:
-            - __ha_cluster_firewall_cmd.rc != 0
-            - __ha_cluster_firewall_cmd.rc != 11  # already enabled
 
-  when:
-    - '"firewalld.service" in ansible_facts.services'
+    - name: Ensure the service and the ports status with the firewall role
+      include_role:
+        name: fedora.linux_system_roles.firewall
+      vars:
+        firewall: "{{ _ha_cluster_firewall }}"
+  vars:
+    _state_value: "{{ ha_cluster_manage_firewall |
+                      ternary('enabled', 'disabled') }}"

tasks/main.yml

@@ -14,6 +14,9 @@
     - name: Configure firewall
       include_tasks: firewall.yml
 
+    - name: Configure selinux
+      include_tasks: selinux.yml
+
     - name: Configure pcs / pcsd
       include_tasks: pcs-configure-pcs-pcsd.yml
 

tasks/selinux.yml

@@ -0,0 +1,57 @@
+# SPDX-License-Identifier: MIT
+---
+- block:
+    - name: Set the fence-virt/fence-agents port to _ha_cluster_selinux
+      set_fact:
+        _ha_cluster_selinux:
+          - {'ports': '1229', 'proto': 'tcp', 'setype': 'cluster_port_t',
+             'state': '{{ _state_value }}', 'local': 'true'}
+      when:
+        - (
+            'fence-virt' in ha_cluster_fence_agent_packages
+            or
+            'fence-virt' in ha_cluster_extra_packages
+            or
+            'fence-agents-all' in ha_cluster_fence_agent_packages
+            or
+            'fence-agents-all' in ha_cluster_extra_packages
+          )
+
+    - name: Get the high-availability tcp service ports
+      shell: |-
+        set -euo pipefail
+        grep 'protocol="tcp"' /usr/lib/firewalld/services/high-availability.xml\
+          | sed -e "s#.*port=\"\(.*\)\"/>#\1#"
+      register: __tcp_ports
+      changed_when: false
+
+    - name: Get the high-availability udp service ports
+      shell: |-
+        set -euo pipefail
+        grep 'protocol="udp"' /usr/lib/firewalld/services/high-availability.xml\
+          | sed -e "s#.*port=\"\(.*\)\"/>#\1#"
+      register: __udp_ports
+      changed_when: false
+
+    - name: Add the high-availability tcp service ports to _ha_cluster_selinux
+      set_fact:
+        _ha_cluster_selinux: "{{ _ha_cluster_selinux | d([]) +
+            [{'ports': item, 'proto': 'tcp', 'setype': 'cluster_port_t',
+              'state': _state_value, 'local': 'true'}] }}"
+      loop: "{{ __tcp_ports.stdout.split('\n') }}"
+
+    - name: Add the high-availability udp service ports to _ha_cluster_selinux
+      set_fact:
+        _ha_cluster_selinux: "{{ _ha_cluster_selinux +
+            [{'ports': item, 'proto': 'udp', 'setype': 'cluster_port_t',
+              'state': _state_value, 'local': 'true'}] }}"
+      loop: "{{ __udp_ports.stdout.split('\n') }}"
+
+    - name: Ensure the service and the ports status with the selinux role
+      include_role:
+        name: fedora.linux_system_roles.selinux
+      vars:
+        selinux_ports: "{{ _ha_cluster_selinux }}"
+  vars:
+    _state_value: "{{ ha_cluster_manage_selinux |
+                      ternary('present', 'absent') }}"

tests/tasks/check_firewall_selinux.yml

@@ -0,0 +1,55 @@
+# SPDX-License-Identifier: MIT
+---
+- block:
+    - name: Check firewall service status
+      command: firewall-cmd --list-services
+      register: _result
+      failed_when: "'high-availability' not in _result.stdout"
+      changed_when: false
+
+    - name: Check firewall port status
+      command: firewall-cmd --list-ports
+      register: _result
+      failed_when: "'1229/tcp' not in _result.stdout"
+      changed_when: false
+  when: ha_cluster_manage_firewall | d(true) | bool
+
+- block:
+    - name: Check firewall service status
+      command: firewall-cmd --list-services
+      register: _result
+      failed_when: "'high-availability' in _result.stdout"
+      changed_when: false
+
+    - name: Check firewall port status
+      command: firewall-cmd --list-ports
+      register: _result
+      failed_when: "'1229/tcp' in _result.stdout"
+      changed_when: false
+  when: not ha_cluster_manage_firewall | d(true) | bool
+
+- name: Get associated selinux ports
+  shell: |-
+    set -euo pipefail
+    grep 'port=' /usr/lib/firewalld/services/high-availability.xml \
+      | sed -e "s#.*port=\"\(.*\)\"/>#\1#" | sort | uniq
+  register: __ports
+  changed_when: false
+
+- name: Check associated selinux ports
+  shell: |-
+    set -euo pipefail
+    sudo semanage port --list | grep cluster_port_t | grep "{{ item }}"
+  loop: "{{ __ports.stdout.split('\n') }}"
+  changed_when: false
+  when: ha_cluster_manage_selinux | d(true) | bool
+
+- name: Check associated selinux ports
+  shell: |-
+    set -euo pipefail
+    sudo semanage port --list | grep cluster_port_t | grep "{{ item }}"
+  register: __result
+  loop: "{{ __ports.stdout.split('\n') }}"
+  changed_when: false
+  failed_when: __result.rc == 0
+  when: not ha_cluster_manage_selinux | d(true) | bool

tests/tests_cib_constraints_create.yml

@@ -647,6 +647,9 @@
               - '    set d1 (id:ticket_set_d1_set) setoptions ticket=ticket-set1 (id:ticket_set_d1)'
               - '    set d1 d2 (id:ct-set_set) set d3 d4 require-all=true sequential=false (id:ct-set_set-1) setoptions loss-policy=fence ticket=ticket-set1 (id:ct-set)'
 
+        - name: Check firewall and selinux state
+          include_tasks: tasks/check_firewall_selinux.yml
+
       # yamllint enable rule:line-length
 
       tags: tests::verify

tests/tests_cib_properties_empty.yml

@@ -29,4 +29,7 @@
           debug:
             var: __test_pcs_property_config
 
+        - name: Check firewall and selinux state
+          include_tasks: tasks/check_firewall_selinux.yml
+
       tags: tests::verify

tests/tests_cib_properties_one_set.yml

@@ -42,4 +42,7 @@
                 'stonith-enabled: true'
                 in __test_pcs_property_config.stdout_lines | map('trim')
 
+        - name: Check firewall and selinux state
+          include_tasks: tasks/check_firewall_selinux.yml
+
       tags: tests::verify

tests/tests_cib_resources_create.yml

@@ -3318,6 +3318,9 @@
                     ]
                 }
             '
+        - name: Check firewall and selinux state
+          include_tasks: tasks/check_firewall_selinux.yml
+
       # yamllint enable rule:line-length
 
       tags: tests::verify

tests/tests_cluster_advanced_knet_full.yml

@@ -114,6 +114,9 @@
         - name: Check cluster status
           include_tasks: tasks/assert_cluster_running.yml
 
+        - name: Check firewall and selinux state
+          include_tasks: tasks/check_firewall_selinux.yml
+
       always:
         - name: Unset node addresses variable
           set_fact:

tests/tests_cluster_advanced_knet_implicit.yml

@@ -55,4 +55,7 @@
         - name: Check cluster status
           include_tasks: tasks/assert_cluster_running.yml
 
+        - name: Check firewall and selinux state
+          include_tasks: tasks/check_firewall_selinux.yml
+
       tags: tests::verify

tests/tests_cluster_advanced_udp_full.yml

@@ -80,4 +80,7 @@
         - name: Check cluster status
           include_tasks: tasks/assert_cluster_running.yml
 
+        - name: Check firewall and selinux state
+          include_tasks: tasks/check_firewall_selinux.yml
+
       tags: tests::verify

tests/tests_cluster_basic.yml

@@ -5,6 +5,9 @@
   vars_files: vars/main.yml
   vars:
     ha_cluster_cluster_name: test-cluster
+    # test not to install and configure firewall and selinux
+    ha_cluster_manage_firewall: false
+    ha_cluster_manage_selinux: false
 
   tasks:
     - block:
@@ -101,4 +104,7 @@
         - name: Check cluster status
           include_tasks: tasks/assert_cluster_running.yml
 
+        - name: Check firewall and selinux state
+          include_tasks: tasks/check_firewall_selinux.yml
+
       tags: tests::verify

tests/tests_cluster_basic_custom_pcsd_tls.yml

@@ -68,4 +68,7 @@
                 stat_pcsd_key.stat.checksum
                 == stat_pcsd_key_expected.stat.checksum
 
+        - name: Check firewall and selinux state
+          include_tasks: tasks/check_firewall_selinux.yml
+
       tags: tests::verify

tests/tests_cluster_basic_disabled.yml

@@ -31,4 +31,7 @@
         - name: Assert cluster status
           include_tasks: tasks/assert_cluster_running.yml
 
+        - name: Check firewall and selinux state
+          include_tasks: tasks/check_firewall_selinux.yml
+
       tags: tests::verify

tests/tests_cluster_basic_existing_psks.yml

@@ -192,4 +192,7 @@
         - name: Check cluster status
           include_tasks: tasks/assert_cluster_running.yml
 
+        - name: Check firewall and selinux state
+          include_tasks: tasks/check_firewall_selinux.yml
+
       tags: tests::verify

tests/tests_cluster_basic_new_psks.yml

@@ -163,4 +163,7 @@
         - name: Check cluster status
           include_tasks: tasks/assert_cluster_running.yml
 
+        - name: Check firewall and selinux state
+          include_tasks: tasks/check_firewall_selinux.yml
+
       tags: tests::verify

tests/tests_sbd_all_options.yml

@@ -69,6 +69,9 @@
                 __test_sbd_config_lines[-1]
                 == 'SBD_OPTS="-n {{ __ha_cluster_node_name }}"'
 
+        - name: Check firewall and selinux state
+          include_tasks: tasks/check_firewall_selinux.yml
+
       always:
         - name: Unset SBD devices and watchdogs
           set_fact:

tests/tests_sbd_check_devices_count.yml

@@ -39,6 +39,9 @@
                 }}"
               run_once: true
 
+        - name: Check firewall and selinux state
+          include_tasks: tasks/check_firewall_selinux.yml
+
       when: ansible_play_hosts_all | length > 1
       always:
         - name: Unset SBD devices variable

tests/tests_sbd_defaults.yml

@@ -89,6 +89,9 @@
         - name: Check cluster status
           include_tasks: tasks/assert_cluster_running.yml
 
+        - name: Check firewall and selinux state
+          include_tasks: tasks/check_firewall_selinux.yml
+
       always:
         - name: Clean up test environment for SBD
           include_role: