From 451535f1496744607391cacf4b737b7d766f3b12 Mon Sep 17 00:00:00 2001 From: Noriko Hosoi Date: Tue, 23 Aug 2022 16:43:29 -0700 Subject: [PATCH] Use the firewall role and the selinux role from the ha_cluster role - Introduce ha_cluster_manage_firewall to use the firewall role to manage the high-availability service and the fence-virt port. ha_cluster_manage_firewall is set to true, by default. - Introduce ha_cluster_manage_selinux to use the selinux role to manage the ports in the high-availability service. Assign cluster_port_t to the high-availability service ports. ha_cluster_manage_selinux is set to true, by default. - Add the test check task tasks/check_firewall_selinux.yml for verify the ports status. - Add meta/collection-requirements.yml. --- README.md | 26 ++++++- defaults/main.yml | 8 +++ meta/collection-requirements.yml | 3 + tasks/firewall.yml | 72 +++++-------------- tasks/main.yml | 3 + tasks/selinux.yml | 57 +++++++++++++++ tests/tasks/check_firewall_selinux.yml | 55 ++++++++++++++ tests/tests_cib_constraints_create.yml | 3 + tests/tests_cib_properties_empty.yml | 3 + tests/tests_cib_properties_one_set.yml | 3 + tests/tests_cib_resources_create.yml | 3 + tests/tests_cluster_advanced_knet_full.yml | 3 + .../tests_cluster_advanced_knet_implicit.yml | 3 + tests/tests_cluster_advanced_udp_full.yml | 3 + tests/tests_cluster_basic.yml | 6 ++ tests/tests_cluster_basic_custom_pcsd_tls.yml | 3 + tests/tests_cluster_basic_disabled.yml | 3 + tests/tests_cluster_basic_existing_psks.yml | 3 + tests/tests_cluster_basic_new_psks.yml | 3 + tests/tests_sbd_all_options.yml | 3 + tests/tests_sbd_check_devices_count.yml | 3 + tests/tests_sbd_defaults.yml | 3 + tests/tests_sbd_defaults_disabled.yml | 3 + ...tests_sbd_needs_atb_while_atb_disabled.yml | 3 + .../tests_sbd_needs_atb_while_atb_enabled.yml | 3 + 25 files changed, 225 insertions(+), 56 deletions(-) create mode 100644 meta/collection-requirements.yml create mode 100644 tasks/selinux.yml create mode 100644 tests/tasks/check_firewall_selinux.yml diff --git a/README.md b/README.md index bb96ca2c..3c3f6e90 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,31 @@ An Ansible role for managing High Availability Clustering. boolean, default: `true` -RHEL and CentOS only, enable repositories contaning needed packages +RHEL and CentOS only, enable repositories containing needed packages + +#### `ha_cluster_manage_firewall` + +boolean, default: true + +Manage the `firewall high-availability service` as well as the `fence-virt port`. +When `ha_cluster_manage_firewall` is `true`, the `firewall high-availability +service` and `fence-virt port` are enabled. +When `ha_cluster_manage_firewall` is `false`, the `firewall high-availability +service` and `fence-virt port` are disabled. + +#### `ha_cluster_manage_selinux` + +boolean, default: true + +Manage the ports belonging to the `firewall high-availability service` using +the selinux role. +When `ha_cluster_manage_selinux` is `true`, the ports belonging to the +`firewall high-availability service` are associated with the selinux port type +`cluster_port_t`. +When `ha_cluster_manage_selinux` is `false`, the ports belonging to the +`firewall high-availability service` are detached from `cluster_port_t`. +Please note that ports which are defined in the selinux policy are not affected +by this variable. #### `ha_cluster_cluster_present` diff --git a/defaults/main.yml b/defaults/main.yml index 028b99f8..d0ee547b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -48,3 +48,11 @@ ha_cluster_constraints_location: [] ha_cluster_constraints_colocation: [] ha_cluster_constraints_order: [] ha_cluster_constraints_ticket: [] + +# If true, manage the high-availability service and the fence-virt port +# using the firewall role. +ha_cluster_manage_firewall: true + +# If true, manage the ports belonging to the high-availability service +# and the fence-virt using the selinux role. +ha_cluster_manage_selinux: true diff --git a/meta/collection-requirements.yml b/meta/collection-requirements.yml new file mode 100644 index 00000000..6da97402 --- /dev/null +++ b/meta/collection-requirements.yml @@ -0,0 +1,3 @@ +# SPDX-License-Identifier: MIT +collections: + - fedora.linux_system_roles diff --git a/tasks/firewall.yml b/tasks/firewall.yml index 0893cbe4..2335feb8 100644 --- a/tasks/firewall.yml +++ b/tasks/firewall.yml @@ -1,35 +1,15 @@ # SPDX-License-Identifier: MIT --- -- name: Get services status - detect firewall - service_facts: +- block: + - name: Initialize firewall option + set_fact: + _ha_cluster_firewall: + - {'service': 'high-availability', 'state': '{{ _state_value }}' } -- name: Configure firewalld - block: - - name: Enable service 'high-availability' in firewalld - command: firewall-cmd --add-service high-availability - when: ansible_facts.services['firewalld.service'].state == 'running' - register: __ha_cluster_firewall_cmd - failed_when: - - __ha_cluster_firewall_cmd.rc != 0 - - __ha_cluster_firewall_cmd.rc != 11 # already enabled - - - name: Enable service 'high-availability' in firewalld permanent config - command: firewall-cmd --permanent --add-service high-availability - register: __ha_cluster_firewall_cmd - when: ansible_facts.services['firewalld.service'].state == 'running' - failed_when: - - __ha_cluster_firewall_cmd.rc != 0 - - __ha_cluster_firewall_cmd.rc != 11 # already enabled - - - name: Enable service 'high-availability' in firewalld offline config - command: firewall-offline-cmd --add-service high-availability - register: __ha_cluster_firewall_cmd - when: ansible_facts.services['firewalld.service'].state != 'running' - failed_when: - - __ha_cluster_firewall_cmd.rc != 0 - - __ha_cluster_firewall_cmd.rc != 11 # already enabled - - - name: Enable fence-virt port in firewalld - all options + - name: Add firewall option for fence-virt/fence-agents + set_fact: + _ha_cluster_firewall: "{{ _ha_cluster_firewall | + union([{'port': '1229/tcp', 'state': '{{ _state_value }}'}]) }}" when: - ( 'fence-virt' in ha_cluster_fence_agent_packages @@ -40,30 +20,12 @@ or 'fence-agents-all' in ha_cluster_extra_packages ) - block: - - name: Enable fence-virt port in firewalld - command: firewall-cmd --add-port 1229/tcp - when: ansible_facts.services['firewalld.service'].state == 'running' - register: __ha_cluster_firewall_cmd - failed_when: - - __ha_cluster_firewall_cmd.rc != 0 - - __ha_cluster_firewall_cmd.rc != 11 # already enabled - - - name: Enable fence-virt port in firewalld permanent config - command: firewall-cmd --permanent --add-port 1229/tcp - when: ansible_facts.services['firewalld.service'].state == 'running' - register: __ha_cluster_firewall_cmd - failed_when: - - __ha_cluster_firewall_cmd.rc != 0 - - __ha_cluster_firewall_cmd.rc != 11 # already enabled - - - name: Enable fence-virt port in firewalld offline config - command: firewall-offline-cmd --add-port 1229/tcp - when: ansible_facts.services['firewalld.service'].state != 'running' - register: __ha_cluster_firewall_cmd - failed_when: - - __ha_cluster_firewall_cmd.rc != 0 - - __ha_cluster_firewall_cmd.rc != 11 # already enabled - when: - - '"firewalld.service" in ansible_facts.services' + - name: Ensure the service and the ports status with the firewall role + include_role: + name: fedora.linux_system_roles.firewall + vars: + firewall: "{{ _ha_cluster_firewall }}" + vars: + _state_value: "{{ ha_cluster_manage_firewall | + ternary('enabled', 'disabled') }}" diff --git a/tasks/main.yml b/tasks/main.yml index 14571fa2..e1fc6643 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -14,6 +14,9 @@ - name: Configure firewall include_tasks: firewall.yml + - name: Configure selinux + include_tasks: selinux.yml + - name: Configure pcs / pcsd include_tasks: pcs-configure-pcs-pcsd.yml diff --git a/tasks/selinux.yml b/tasks/selinux.yml new file mode 100644 index 00000000..f9914700 --- /dev/null +++ b/tasks/selinux.yml @@ -0,0 +1,57 @@ +# SPDX-License-Identifier: MIT +--- +- block: + - name: Set the fence-virt/fence-agents port to _ha_cluster_selinux + set_fact: + _ha_cluster_selinux: + - {'ports': '1229', 'proto': 'tcp', 'setype': 'cluster_port_t', + 'state': '{{ _state_value }}', 'local': 'true'} + when: + - ( + 'fence-virt' in ha_cluster_fence_agent_packages + or + 'fence-virt' in ha_cluster_extra_packages + or + 'fence-agents-all' in ha_cluster_fence_agent_packages + or + 'fence-agents-all' in ha_cluster_extra_packages + ) + + - name: Get the high-availability tcp service ports + shell: |- + set -euo pipefail + grep 'protocol="tcp"' /usr/lib/firewalld/services/high-availability.xml\ + | sed -e "s#.*port=\"\(.*\)\"/>#\1#" + register: __tcp_ports + changed_when: false + + - name: Get the high-availability udp service ports + shell: |- + set -euo pipefail + grep 'protocol="udp"' /usr/lib/firewalld/services/high-availability.xml\ + | sed -e "s#.*port=\"\(.*\)\"/>#\1#" + register: __udp_ports + changed_when: false + + - name: Add the high-availability tcp service ports to _ha_cluster_selinux + set_fact: + _ha_cluster_selinux: "{{ _ha_cluster_selinux | d([]) + + [{'ports': item, 'proto': 'tcp', 'setype': 'cluster_port_t', + 'state': _state_value, 'local': 'true'}] }}" + loop: "{{ __tcp_ports.stdout.split('\n') }}" + + - name: Add the high-availability udp service ports to _ha_cluster_selinux + set_fact: + _ha_cluster_selinux: "{{ _ha_cluster_selinux + + [{'ports': item, 'proto': 'udp', 'setype': 'cluster_port_t', + 'state': _state_value, 'local': 'true'}] }}" + loop: "{{ __udp_ports.stdout.split('\n') }}" + + - name: Ensure the service and the ports status with the selinux role + include_role: + name: fedora.linux_system_roles.selinux + vars: + selinux_ports: "{{ _ha_cluster_selinux }}" + vars: + _state_value: "{{ ha_cluster_manage_selinux | + ternary('present', 'absent') }}" diff --git a/tests/tasks/check_firewall_selinux.yml b/tests/tasks/check_firewall_selinux.yml new file mode 100644 index 00000000..95b78464 --- /dev/null +++ b/tests/tasks/check_firewall_selinux.yml @@ -0,0 +1,55 @@ +# SPDX-License-Identifier: MIT +--- +- block: + - name: Check firewall service status + command: firewall-cmd --list-services + register: _result + failed_when: "'high-availability' not in _result.stdout" + changed_when: false + + - name: Check firewall port status + command: firewall-cmd --list-ports + register: _result + failed_when: "'1229/tcp' not in _result.stdout" + changed_when: false + when: ha_cluster_manage_firewall | d(true) | bool + +- block: + - name: Check firewall service status + command: firewall-cmd --list-services + register: _result + failed_when: "'high-availability' in _result.stdout" + changed_when: false + + - name: Check firewall port status + command: firewall-cmd --list-ports + register: _result + failed_when: "'1229/tcp' in _result.stdout" + changed_when: false + when: not ha_cluster_manage_firewall | d(true) | bool + +- name: Get associated selinux ports + shell: |- + set -euo pipefail + grep 'port=' /usr/lib/firewalld/services/high-availability.xml \ + | sed -e "s#.*port=\"\(.*\)\"/>#\1#" | sort | uniq + register: __ports + changed_when: false + +- name: Check associated selinux ports + shell: |- + set -euo pipefail + sudo semanage port --list | grep cluster_port_t | grep "{{ item }}" + loop: "{{ __ports.stdout.split('\n') }}" + changed_when: false + when: ha_cluster_manage_selinux | d(true) | bool + +- name: Check associated selinux ports + shell: |- + set -euo pipefail + sudo semanage port --list | grep cluster_port_t | grep "{{ item }}" + register: __result + loop: "{{ __ports.stdout.split('\n') }}" + changed_when: false + failed_when: __result.rc == 0 + when: not ha_cluster_manage_selinux | d(true) | bool diff --git a/tests/tests_cib_constraints_create.yml b/tests/tests_cib_constraints_create.yml index f1cf6eaf..8e2d112c 100644 --- a/tests/tests_cib_constraints_create.yml +++ b/tests/tests_cib_constraints_create.yml @@ -647,6 +647,9 @@ - ' set d1 (id:ticket_set_d1_set) setoptions ticket=ticket-set1 (id:ticket_set_d1)' - ' set d1 d2 (id:ct-set_set) set d3 d4 require-all=true sequential=false (id:ct-set_set-1) setoptions loss-policy=fence ticket=ticket-set1 (id:ct-set)' + - name: Check firewall and selinux state + include_tasks: tasks/check_firewall_selinux.yml + # yamllint enable rule:line-length tags: tests::verify diff --git a/tests/tests_cib_properties_empty.yml b/tests/tests_cib_properties_empty.yml index 74296b6b..b728fe75 100644 --- a/tests/tests_cib_properties_empty.yml +++ b/tests/tests_cib_properties_empty.yml @@ -29,4 +29,7 @@ debug: var: __test_pcs_property_config + - name: Check firewall and selinux state + include_tasks: tasks/check_firewall_selinux.yml + tags: tests::verify diff --git a/tests/tests_cib_properties_one_set.yml b/tests/tests_cib_properties_one_set.yml index ed71c9ac..6ef98185 100644 --- a/tests/tests_cib_properties_one_set.yml +++ b/tests/tests_cib_properties_one_set.yml @@ -42,4 +42,7 @@ 'stonith-enabled: true' in __test_pcs_property_config.stdout_lines | map('trim') + - name: Check firewall and selinux state + include_tasks: tasks/check_firewall_selinux.yml + tags: tests::verify diff --git a/tests/tests_cib_resources_create.yml b/tests/tests_cib_resources_create.yml index b62e41e6..ec1a51b7 100644 --- a/tests/tests_cib_resources_create.yml +++ b/tests/tests_cib_resources_create.yml @@ -3318,6 +3318,9 @@ ] } ' + - name: Check firewall and selinux state + include_tasks: tasks/check_firewall_selinux.yml + # yamllint enable rule:line-length tags: tests::verify diff --git a/tests/tests_cluster_advanced_knet_full.yml b/tests/tests_cluster_advanced_knet_full.yml index 2868be86..cc2c9143 100644 --- a/tests/tests_cluster_advanced_knet_full.yml +++ b/tests/tests_cluster_advanced_knet_full.yml @@ -114,6 +114,9 @@ - name: Check cluster status include_tasks: tasks/assert_cluster_running.yml + - name: Check firewall and selinux state + include_tasks: tasks/check_firewall_selinux.yml + always: - name: Unset node addresses variable set_fact: diff --git a/tests/tests_cluster_advanced_knet_implicit.yml b/tests/tests_cluster_advanced_knet_implicit.yml index b94bf453..423d9272 100644 --- a/tests/tests_cluster_advanced_knet_implicit.yml +++ b/tests/tests_cluster_advanced_knet_implicit.yml @@ -55,4 +55,7 @@ - name: Check cluster status include_tasks: tasks/assert_cluster_running.yml + - name: Check firewall and selinux state + include_tasks: tasks/check_firewall_selinux.yml + tags: tests::verify diff --git a/tests/tests_cluster_advanced_udp_full.yml b/tests/tests_cluster_advanced_udp_full.yml index f1e66184..272a133a 100644 --- a/tests/tests_cluster_advanced_udp_full.yml +++ b/tests/tests_cluster_advanced_udp_full.yml @@ -80,4 +80,7 @@ - name: Check cluster status include_tasks: tasks/assert_cluster_running.yml + - name: Check firewall and selinux state + include_tasks: tasks/check_firewall_selinux.yml + tags: tests::verify diff --git a/tests/tests_cluster_basic.yml b/tests/tests_cluster_basic.yml index 4dc1feaf..482b8648 100644 --- a/tests/tests_cluster_basic.yml +++ b/tests/tests_cluster_basic.yml @@ -5,6 +5,9 @@ vars_files: vars/main.yml vars: ha_cluster_cluster_name: test-cluster + # test not to install and configure firewall and selinux + ha_cluster_manage_firewall: false + ha_cluster_manage_selinux: false tasks: - block: @@ -101,4 +104,7 @@ - name: Check cluster status include_tasks: tasks/assert_cluster_running.yml + - name: Check firewall and selinux state + include_tasks: tasks/check_firewall_selinux.yml + tags: tests::verify diff --git a/tests/tests_cluster_basic_custom_pcsd_tls.yml b/tests/tests_cluster_basic_custom_pcsd_tls.yml index 794b906e..7eec0933 100644 --- a/tests/tests_cluster_basic_custom_pcsd_tls.yml +++ b/tests/tests_cluster_basic_custom_pcsd_tls.yml @@ -68,4 +68,7 @@ stat_pcsd_key.stat.checksum == stat_pcsd_key_expected.stat.checksum + - name: Check firewall and selinux state + include_tasks: tasks/check_firewall_selinux.yml + tags: tests::verify diff --git a/tests/tests_cluster_basic_disabled.yml b/tests/tests_cluster_basic_disabled.yml index f3a71ad8..f1a9eca1 100644 --- a/tests/tests_cluster_basic_disabled.yml +++ b/tests/tests_cluster_basic_disabled.yml @@ -31,4 +31,7 @@ - name: Assert cluster status include_tasks: tasks/assert_cluster_running.yml + - name: Check firewall and selinux state + include_tasks: tasks/check_firewall_selinux.yml + tags: tests::verify diff --git a/tests/tests_cluster_basic_existing_psks.yml b/tests/tests_cluster_basic_existing_psks.yml index aa6dff11..df0ec88c 100644 --- a/tests/tests_cluster_basic_existing_psks.yml +++ b/tests/tests_cluster_basic_existing_psks.yml @@ -192,4 +192,7 @@ - name: Check cluster status include_tasks: tasks/assert_cluster_running.yml + - name: Check firewall and selinux state + include_tasks: tasks/check_firewall_selinux.yml + tags: tests::verify diff --git a/tests/tests_cluster_basic_new_psks.yml b/tests/tests_cluster_basic_new_psks.yml index 2adb7b48..320e3ee1 100644 --- a/tests/tests_cluster_basic_new_psks.yml +++ b/tests/tests_cluster_basic_new_psks.yml @@ -163,4 +163,7 @@ - name: Check cluster status include_tasks: tasks/assert_cluster_running.yml + - name: Check firewall and selinux state + include_tasks: tasks/check_firewall_selinux.yml + tags: tests::verify diff --git a/tests/tests_sbd_all_options.yml b/tests/tests_sbd_all_options.yml index de8f4965..2ce2b0f9 100644 --- a/tests/tests_sbd_all_options.yml +++ b/tests/tests_sbd_all_options.yml @@ -69,6 +69,9 @@ __test_sbd_config_lines[-1] == 'SBD_OPTS="-n {{ __ha_cluster_node_name }}"' + - name: Check firewall and selinux state + include_tasks: tasks/check_firewall_selinux.yml + always: - name: Unset SBD devices and watchdogs set_fact: diff --git a/tests/tests_sbd_check_devices_count.yml b/tests/tests_sbd_check_devices_count.yml index 57227e9f..1cf2075d 100644 --- a/tests/tests_sbd_check_devices_count.yml +++ b/tests/tests_sbd_check_devices_count.yml @@ -39,6 +39,9 @@ }}" run_once: true + - name: Check firewall and selinux state + include_tasks: tasks/check_firewall_selinux.yml + when: ansible_play_hosts_all | length > 1 always: - name: Unset SBD devices variable diff --git a/tests/tests_sbd_defaults.yml b/tests/tests_sbd_defaults.yml index 16ec1759..66ebf24e 100644 --- a/tests/tests_sbd_defaults.yml +++ b/tests/tests_sbd_defaults.yml @@ -89,6 +89,9 @@ - name: Check cluster status include_tasks: tasks/assert_cluster_running.yml + - name: Check firewall and selinux state + include_tasks: tasks/check_firewall_selinux.yml + always: - name: Clean up test environment for SBD include_role: diff --git a/tests/tests_sbd_defaults_disabled.yml b/tests/tests_sbd_defaults_disabled.yml index 714b57ca..5c6b04b2 100644 --- a/tests/tests_sbd_defaults_disabled.yml +++ b/tests/tests_sbd_defaults_disabled.yml @@ -29,4 +29,7 @@ - ansible_facts.services["pacemaker.service"].status == "disabled" - ansible_facts.services["sbd.service"].status == "disabled" + - name: Check firewall and selinux state + include_tasks: tasks/check_firewall_selinux.yml + tags: tests::verify diff --git a/tests/tests_sbd_needs_atb_while_atb_disabled.yml b/tests/tests_sbd_needs_atb_while_atb_disabled.yml index 4f330dbc..35c25a10 100644 --- a/tests/tests_sbd_needs_atb_while_atb_disabled.yml +++ b/tests/tests_sbd_needs_atb_while_atb_disabled.yml @@ -40,6 +40,9 @@ ~ 'to be enabled' run_once: true + - name: Check firewall and selinux state + include_tasks: tasks/check_firewall_selinux.yml + when: ansible_play_hosts_all | length is even always: - name: Unset SBD devices variable diff --git a/tests/tests_sbd_needs_atb_while_atb_enabled.yml b/tests/tests_sbd_needs_atb_while_atb_enabled.yml index 358b327d..2c45ede6 100644 --- a/tests/tests_sbd_needs_atb_while_atb_enabled.yml +++ b/tests/tests_sbd_needs_atb_while_atb_enabled.yml @@ -46,6 +46,9 @@ __test_quorum_config.stdout_lines | map('trim') | list }}" + - name: Check firewall and selinux state + include_tasks: tasks/check_firewall_selinux.yml + when: ansible_play_hosts_all | length is even always: - name: Unset SBD devices variable