qe-sap-deployment/ansible/playbooks/roles/sap_hana_install/tasks/post_install/firewall.yml at 681d42406c3f59b7f46022f9e9ba93a425e06d04 · SUSE/qe-sap-deployment · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
---

# Controlled by sap-hana-preconfigure.yaml playbook
#- name: SAP HANA Post Install - Enable and start the firewalld service
#  ansible.builtin.systemd:
#    name: firewalld
#    state: started
#    enabled: yes
#  tags: sap_hana_install_configure_firewall

- name: SAP HANA Post Install - Set LogDenied to all in firewalld.conf
  ansible.builtin.lineinfile:
    path: /etc/firewalld/firewalld.conf
    regexp: '^LogDenied=off'
    line: 'LogDenied=all'
  tags: sap_hana_install_configure_firewall

- name: SAP HANA Post Install - Construct the argument list for 'firewall-cmd --add-port'
  ansible.builtin.set_fact:
    __sap_hana_install_fact_firewall_cmd_args:
      "{{ ['--add-port='] | product(sap_hana_install_firewall[0].port) | map('join') | list }}"
  when: sap_hana_install_firewall[0].state == 'enabled'
  tags: sap_hana_install_configure_firewall

- name: SAP HANA Post Install - Construct the argument list for 'firewall-cmd --remove-port'
  ansible.builtin.set_fact:
    __sap_hana_install_fact_firewall_cmd_args:
      "{{ ['--remove-port='] | product(sap_hana_install_firewall[0].port) | map('join') | list }}"
  when: sap_hana_install_firewall[0].state == 'disabled'
  tags: sap_hana_install_configure_firewall

- name: SAP HANA Post Install - Set fact for the 'firewall-cmd' command
  ansible.builtin.set_fact:
    __sap_hana_install_fact_firewall_cmd_command:
      "firewall-cmd --zone=public {{ __sap_hana_install_fact_firewall_cmd_args | map('quote') | join(' ') }}"
  tags: sap_hana_install_configure_firewall

- name: SAP HANA Post Install - Display the 'firewall-cmd' command
  ansible.builtin.debug:
    var: __sap_hana_install_fact_firewall_cmd_command
  tags: sap_hana_install_configure_firewall

# No matter if the ports have already been enabled or not, the changed state
# of the command is always true. For avoiding ansible-lint to report a violation
# of the no-changed-when rule, we just set changed_when to true here.
- name: SAP HANA Post Install - Enable the required ports immediately
  ansible.builtin.command: "{{ __sap_hana_install_fact_firewall_cmd_command }}"
  changed_when: yes
  tags: sap_hana_install_configure_firewall

- name: SAP HANA Post Install - Get the current firewall configuration of the default zone
  ansible.builtin.command: firewall-cmd --list-all
  changed_when: no
  register: __sap_hana_install_register_current_firewall_ports
  tags: sap_hana_install_configure_firewall

- name: SAP HANA Post Install - Display the current firewall configuration of the default zone
  ansible.builtin.debug:
    var: __sap_hana_install_register_current_firewall_ports.stdout_lines
  tags: sap_hana_install_configure_firewall

# No matter if the ports have already been enabled or not, the changed state
# of the command is always true. For avoiding ansible-lint to report a violation
# of the no-changed-when rule, we just set changed_when to true here.
- name: SAP HANA Post Install - Enable the required ports permanently
  ansible.builtin.command: "{{ __sap_hana_install_fact_firewall_cmd_command }} --permanent"
  changed_when: yes
  tags: sap_hana_install_configure_firewall

- name: SAP HANA Post Install - Get the permanent firewall configuration of the default zone
  ansible.builtin.command: firewall-cmd --list-all
  changed_when: no
  register: __sap_hana_install_register_permanent_firewall_ports
  tags: sap_hana_install_configure_firewall

- name: SAP HANA Post Install - Display the permanent firewall configuration of the default zone
  ansible.builtin.debug:
    var: __sap_hana_install_register_permanent_firewall_ports.stdout_lines
  tags: sap_hana_install_configure_firewall

- name: SAP HANA Post Install - Add SELinux port labels
  # Note: The 'semanage port' command uses a dash '-' to define port ranges,
  #       e.g., 'semanage port -a -t sap_port_t -p tcp 30000-30010'
  ansible.builtin.command: "semanage port -a -t sap_port_t -p {{ item.split('/')[1] }} {{ item.split('/')[0] }}"
  loop: "{{ sap_hana_install_firewall[0].port }}"
  when: sap_hana_install_firewall[0].state == 'enabled'
  register: __sap_hana_install_register_semanage_ports
  changed_when: __sap_hana_install_register_semanage_ports.rc == 0
  failed_when:
    - __sap_hana_install_register_semanage_ports.rc != 0
    - "'Port is already defined' not in __sap_hana_install_register_semanage_ports.stderr"
  tags: sap_hana_install_configure_firewall