When ha_cluster_manage_firewall and ha_cluster_manage_selinux are

set to false, it does not call the firewall role and the selinux
role, respectively.

The default value of ha_cluster_manage_firewall and ha_cluster_
manage_selinux are changed to false. Note: this changes the
ha_cluster role's behavior. It used to configure firewall without
any settings if the firewall service is enabled. With this change,
unless ha_cluster_manage_firewall is set to true, the firewall is
not configured.

README.md

@@ -32,29 +32,37 @@ RHEL and CentOS only, enable repositories containing needed packages
 
 #### `ha_cluster_manage_firewall`
 
-boolean, default: true
+boolean, default: false
 
 Manage the `firewall high-availability service` as well as the `fence-virt port`.
 When `ha_cluster_manage_firewall` is `true`, the `firewall high-availability
 service` and `fence-virt port` are enabled.
-When `ha_cluster_manage_firewall` is `false`, the `firewall high-availability
-service` and `fence-virt port` are disabled.
-Please note that configuring firewalld is ensured regardless of the
-`ha_cluster_manage_firewall` value.
+When `ha_cluster_manage_firewall` is `false`, the `ha_cluster role` does not
+manage the firewall.
+NOTE: `ha_cluster_manage_firewall` is limited to *adding* ports.
+It cannot be used for *removing* ports.
+If you want to remove ports, you will need to use the firewall selinux system
+roles directly.
 
 #### `ha_cluster_manage_selinux`
 
-boolean, default: true
+boolean, default: false
 
 Manage the ports belonging to the `firewall high-availability service` using
 the selinux role.
 When `ha_cluster_manage_selinux` is `true`, the ports belonging to the
 `firewall high-availability service` are associated with the selinux port type
 `cluster_port_t`.
-When `ha_cluster_manage_selinux` is `false`, the ports belonging to the
-`firewall high-availability service` are detached from `cluster_port_t`.
-Please note that ports which are defined in the selinux policy are not affected
-by this variable.
+When `ha_cluster_manage_selinux` is `false`, the `ha_cluster role` does not
+manage the selinux.
+
+NOTE: The firewall configuration is prerequisite for managing selinux. If the
+firewall is not installed, managing selinux policy is skipped.
+
+NOTE: `ha_cluster_manage_selinux` is limited to *adding* policy.
+It cannot be used for *removing* policy.
+If you want to remove policy, you will need to use the selinux selinux system
+roles directly.
 
 #### `ha_cluster_cluster_present`
 
@@ -84,7 +92,7 @@ automatically by the role, for example custom resource agents.
 
 It is possible to specify fence agents here as well. However,
 `ha_cluster_fence_agent_packages` is preferred for that, so that its default
-value is overriden.
+value is overridden.
 
 #### `ha_cluster_hacluster_password`
 
@@ -896,7 +904,7 @@ all:
 
 #### SBD watchdog and devices
 When using SBD, you may optionally configure watchdog and SBD devices for each
-node in inventory. Even though all SBD devices must be shared to and accesible
+node in inventory. Even though all SBD devices must be shared to and accessible
 from all nodes, each node may use different names for the devices. Watchdog may
 be different for each node as well. See also [SBD
 variables](#ha_cluster_sbd_enabled).

defaults/main.yml

@@ -53,8 +53,8 @@ ha_cluster_constraints_ticket: []
 
 # If true, manage the high-availability service and the fence-virt port
 # using the firewall role.
-ha_cluster_manage_firewall: true
+ha_cluster_manage_firewall: false
 
 # If true, manage the ports belonging to the high-availability service
 # and the fence-virt using the selinux role.
-ha_cluster_manage_selinux: true
+ha_cluster_manage_selinux: false

tasks/firewall.yml

@@ -4,12 +4,12 @@
     - name: Initialize firewall option
       set_fact:
         _ha_cluster_firewall:
-          - {'service': 'high-availability', 'state': '{{ _state_value }}' }
+          - {'service': 'high-availability', 'state': 'enabled' }
 
     - name: Add firewall option for fence-virt/fence-agents
       set_fact:
         _ha_cluster_firewall: "{{ _ha_cluster_firewall |
-            union([{'port': '1229/tcp', 'state': '{{ _state_value }}'}]) }}"
+            union([{'port': '1229/tcp', 'state': 'enabled'}]) }}"
       when:
         - ansible_architecture == 'x86_64'
         - (
@@ -27,6 +27,5 @@
         name: fedora.linux_system_roles.firewall
       vars:
         firewall: "{{ _ha_cluster_firewall }}"
-  vars:
-    _state_value: "{{ ha_cluster_manage_firewall |
-                      ternary('enabled', 'disabled') }}"
+  when:
+    - ha_cluster_manage_firewall | bool

tasks/selinux.yml

@@ -1,11 +1,14 @@
 # SPDX-License-Identifier: MIT
 ---
+- name: Populate service facts
+  service_facts:
+
 - block:
     - name: Set the fence-virt/fence-agents port to _ha_cluster_selinux
       set_fact:
         _ha_cluster_selinux:
           - {'ports': '1229', 'proto': 'tcp', 'setype': 'cluster_port_t',
-             'state': '{{ _state_value }}', 'local': 'true'}
+             'state': 'present', 'local': 'true'}
       when:
         - (
             'fence-virt' in ha_cluster_fence_agent_packages
@@ -29,7 +32,7 @@
       set_fact:
         _ha_cluster_selinux: "{{ _ha_cluster_selinux | d([]) +
             [{'ports': _pair[0], 'proto': _pair[1], 'setype': 'cluster_port_t',
-              'state': _state_value, 'local': 'true'}] }}"
+              'state': 'present', 'local': 'true'}] }}"
       vars:
         _pair: "{{ item.split('/') }}"
       loop: "{{ __ports.stdout.split(' ') }}"
@@ -39,6 +42,6 @@
         name: fedora.linux_system_roles.selinux
       vars:
         selinux_ports: "{{ _ha_cluster_selinux }}"
-  vars:
-    _state_value: "{{ ha_cluster_manage_selinux |
-                      ternary('present', 'absent') }}"
+  when:
+    - '"firewalld.service" in ansible_facts.services'
+    - ha_cluster_manage_firewall | bool

tests/tasks/check_firewall_selinux.yml

@@ -12,44 +12,26 @@
       register: _result
       failed_when: "'1229/tcp' not in _result.stdout"
       changed_when: false
-  when: ha_cluster_manage_firewall | d(true) | bool
+  when: ha_cluster_manage_firewall | bool
 
 - block:
-    - name: Check firewall service status
-      command: firewall-cmd --list-services
-      register: _result
-      failed_when: "'high-availability' in _result.stdout"
+    - name: Get associated selinux ports
+      shell: |-
+        set -euo pipefail
+        firewall-cmd --info-service=high-availability | \
+          egrep " +ports: +" | sed -e "s/ *ports: //"
+      register: __ports
       changed_when: false
 
-    - name: Check firewall port status
-      command: firewall-cmd --list-ports
-      register: _result
-      failed_when: "'1229/tcp' in _result.stdout"
+    - name: Check associated selinux ports
+      shell: |-
+        set -euo pipefail
+        sudo semanage port --list | grep cluster_port_t | \
+          grep "{{ _pair[0] }}" | grep "{{ _pair[1] }}"
+      vars:
+        _pair: "{{ item.split('/') }}"
+      loop: "{{ __ports.stdout.split(' ') }}"
       changed_when: false
-  when: not ha_cluster_manage_firewall | d(true) | bool
-
-- name: Get associated selinux ports
-  shell: |-
-    set -euo pipefail
-    grep 'port=' /usr/lib/firewalld/services/high-availability.xml \
-      | sed -e "s#.*port=\"\(.*\)\"/>#\1#" | sort | uniq
-  register: __ports
-  changed_when: false
-
-- name: Check associated selinux ports
-  shell: |-
-    set -euo pipefail
-    sudo semanage port --list | grep cluster_port_t | grep "{{ item }}"
-  loop: "{{ __ports.stdout.split('\n') }}"
-  changed_when: false
-  when: ha_cluster_manage_selinux | d(true) | bool
-
-- name: Check associated selinux ports
-  shell: |-
-    set -euo pipefail
-    sudo semanage port --list | grep cluster_port_t | grep "{{ item }}"
-  register: __result
-  loop: "{{ __ports.stdout.split('\n') }}"
-  changed_when: false
-  failed_when: __result.rc == 0
-  when: not ha_cluster_manage_selinux | d(true) | bool
+  when:
+    - ha_cluster_manage_selinux | bool
+    - '"firewalld.service" in ansible_facts.services'

tests/tests_cib_constraints_create.yml

@@ -381,8 +381,8 @@
         options:
           - name: loss-policy
             value: fence
-    # test not to configure selinux
-    ha_cluster_manage_selinux: false
+    # test to set true to manage selinux to see it's ignored.
+    ha_cluster_manage_selinux: true
 
   tasks:
     - block:
@@ -394,6 +394,7 @@
         - name: Run HA Cluster role
           include_role:
             name: linux-system-roles.ha_cluster
+            public: true
 
         - name: Fetch cluster versions of cluster components
           include_tasks: tasks/fetch_versions.yml

tests/tests_cib_properties_empty.yml

@@ -7,8 +7,8 @@
     ha_cluster_cluster_name: test-cluster
     ha_cluster_cluster_properties:
       - attrs:
-    # test not to configure firewall
-    ha_cluster_manage_firewall: false
+    # test to set true to manage firewall only
+    ha_cluster_manage_firewall: true
 
   tasks:
     - block:
@@ -20,6 +20,7 @@
         - name: Run HA Cluster role
           include_role:
             name: linux-system-roles.ha_cluster
+            public: true
 
         - name: Fetch cluster properties configuration from the cluster
           command:

tests/tests_cib_properties_one_set.yml

@@ -11,6 +11,8 @@
             value: 'true'
           - name: no-quorum-policy
             value: stop
+    ha_cluster_manage_firewall: true
+    ha_cluster_manage_selinux: true
   tasks:
     - block:
         - name: Set up test environment
@@ -21,6 +23,7 @@
         - name: Run HA Cluster role
           include_role:
             name: linux-system-roles.ha_cluster
+            public: true
 
         - name: Fetch cluster properties configuration from the cluster
           command:

tests/tests_cib_resources_create.yml

@@ -256,6 +256,8 @@
                 value: Stopped
               - name: an-attr
                 value: a value
+    ha_cluster_manage_firewall: true
+    ha_cluster_manage_selinux: true
 
   tasks:
     - block:
@@ -267,6 +269,7 @@
         - name: Run HA Cluster role
           include_role:
             name: linux-system-roles.ha_cluster
+            public: true
 
         - name: Fetch cluster versions of cluster components
           include_tasks: tasks/fetch_versions.yml

tests/tests_cluster_advanced_knet_full.yml

@@ -45,6 +45,8 @@
           value: 1
         - name: wait_for_all
           value: 1
+    ha_cluster_manage_firewall: true
+    ha_cluster_manage_selinux: true
 
   tasks:
     - block:
@@ -67,6 +69,7 @@
         - name: Run HA Cluster role
           include_role:
             name: linux-system-roles.ha_cluster
+            public: true
 
         - name: Fetch cluster versions of cluster components
           include_tasks: tasks/fetch_versions.yml

tests/tests_cluster_advanced_knet_implicit.yml

@@ -11,6 +11,8 @@
           value: none
         - name: hash
           value: none
+    ha_cluster_manage_firewall: true
+    ha_cluster_manage_selinux: true
 
   tasks:
     - block:
@@ -22,6 +24,7 @@
         - name: Run HA Cluster role
           include_role:
             name: linux-system-roles.ha_cluster
+            public: true
 
         - name: Fetch cluster versions of cluster components
           include_tasks: tasks/fetch_versions.yml

tests/tests_cluster_advanced_udp_full.yml

@@ -30,6 +30,8 @@
           value: 1
         - name: wait_for_all
           value: 1
+    ha_cluster_manage_firewall: true
+    ha_cluster_manage_selinux: true
 
   tasks:
     - block:
@@ -41,6 +43,7 @@
         - name: Run HA Cluster role
           include_role:
             name: linux-system-roles.ha_cluster
+            public: true
 
         - name: Fetch cluster versions of cluster components
           include_tasks: tasks/fetch_versions.yml

tests/tests_cluster_basic.yml

@@ -5,9 +5,6 @@
   vars_files: vars/main.yml
   vars:
     ha_cluster_cluster_name: test-cluster
-    # test not to configure firewall and selinux
-    ha_cluster_manage_firewall: false
-    ha_cluster_manage_selinux: false
 
   tasks:
     - block:
@@ -30,6 +27,7 @@
         - name: Run HA Cluster role
           include_role:
             name: linux-system-roles.ha_cluster
+            public: true
 
         - name: Get services status
           service_facts:

tests/tests_cluster_basic_custom_fence_agents.yml

@@ -23,6 +23,7 @@
         - name: Run HA Cluster role
           include_role:
             name: linux-system-roles.ha_cluster
+            public: true
 
         - name: Get packages status
           package_facts:

tests/tests_cluster_basic_custom_packages.yml

@@ -24,6 +24,7 @@
         - name: Run HA Cluster role
           include_role:
             name: linux-system-roles.ha_cluster
+            public: true
 
         - name: Get packages status
           package_facts:

tests/tests_cluster_basic_custom_pcsd_tls.yml

@@ -7,6 +7,8 @@
     ha_cluster_cluster_name: test-cluster
     ha_cluster_pcsd_public_key_src: "{{ __ha_cluster_work_dir.path }}/pcsd.crt"
     ha_cluster_pcsd_private_key_src: "{{ __ha_cluster_work_dir.path }}/pcsd.key"
+    ha_cluster_manage_firewall: true
+    ha_cluster_manage_selinux: true
 
   tasks:
     - block:
@@ -43,6 +45,7 @@
         - name: Run HA Cluster role
           include_role:
             name: linux-system-roles.ha_cluster
+            public: true
 
         - name: Stat pcsd TLS certificate
           stat:

tests/tests_cluster_basic_disabled.yml

@@ -6,6 +6,8 @@
   vars:
     ha_cluster_cluster_name: test-cluster
     ha_cluster_start_on_boot: false
+    ha_cluster_manage_firewall: true
+    ha_cluster_manage_selinux: true
 
   tasks:
     - block:
@@ -17,6 +19,7 @@
         - name: Run HA Cluster role
           include_role:
             name: linux-system-roles.ha_cluster
+            public: true
 
         - name: Get services status
           service_facts: