Refactor firewall management

mpagot · mpagot · commit d148ca14f436 · 2025-12-15T17:47:47.000+01:00
Introduces a new variable `firewall_cfg` in the `sap-hana-preconfigure`
playbook to provide more explicit control over the firewalld service.
This new variable allows to 'enable', 'disable', or 'ignore' the
firewall configuration.
The `sap_hana_install` role is updated to delegate the firewall
service management to the preconfigure playbook, avoiding conflicts
and centralizing the configuration.
The documentation has been updated to reflect these changes.
Softfail for bsc#1254356 in 16.0
diff --git a/ansible/playbooks/roles/sap_hana_install/README.md b/ansible/playbooks/roles/sap_hana_install/README.md
@@ -140,7 +140,8 @@ or if it will add further hosts to an existing SAP HANA system as specified by v
 `sap_hana_install_addhosts`. Default is `yes` for a fresh SAP HANA installation.
 
 The role can be configured to also set the required firewall ports for SAP HANA. If this is desired, set
-the variable `sap_hana_install_update_firewall` to `yes` (default is `no`). The firewall ports are defined
+the variable `sap_hana_install_update_firewall` to `true` (default is `false` that means the role will not touch
+any firewall related system settings, leaving whatever the system has unchanged). The firewall ports are defined
 in a variable which is compatible with the variable structure used by Linux System Role `firewall`.
 The firewall ports for SAP HANA are defined in member `port` of the first field of variable
 `sap_hana_install_firewall` (`sap_hana_install_firewall[0].port`), see file `defaults/main.yml`. If the
@@ -257,7 +258,7 @@ You can find more complex playbooks in directory `playbooks` of the collection `
     - Extract all SAR files into `sap_hana_install_software_extract_directory`.
 
 Note: For each SAPCAR or SAR file called or used by the role, if variable `sap_hana_install_verify_checksums`
-is set to `yes`, the role will perform a checksum verification against a specific or global checksum file.
+is set to `true`, the role will perform a checksum verification against a specific or global checksum file.
 
 - Check existence of `hdblcm` in `SAP_HANA_DATABASE` directory from the extracted SAR files.
 
@@ -327,7 +328,7 @@ With the following tags, the role can be called to perform certain activities on
   with `--skip-tags`, to skip modifying these directories. This can be useful when using tag
   `sap_hana_install_preinstall`.
 - tag `sap_hana_install_configure_firewall`: Use this flag to only configure the firewall ports for
-  SAP HANA. Note: The role variable `sap_hana_install_update_firewall` has to be set to `yes` as
+  SAP HANA. Note: The role variable `sap_hana_install_update_firewall` has to be set to `true` as
   well.
 - tag `sap_hana_install_extract_sarfiles`: Use this flag with `--skip-tags` to run the SAR file
   preparation steps of tag `sap_hana_install_prepare_sarfiles` without extracting the SAR files.
diff --git a/ansible/playbooks/roles/sap_hana_install/defaults/main.yml b/ansible/playbooks/roles/sap_hana_install/defaults/main.yml
@@ -11,14 +11,14 @@ sap_hana_install_software_directory: '/software/hana'
 # created again before the extraction starts.
 sap_hana_install_software_extract_directory: "{{ sap_hana_install_software_directory }}/extracted"
 
-# Set this variabe to `yes` if you want to copy the SAR files from `sap_hana_install_software_directory`
+# Set this variabe to `true` if you want to copy the SAR files from `sap_hana_install_software_directory`
 # to `sap_hana_install_software_extract_directory/sarfiles` before extracting.
 # This might be useful if the SAR files are on a slow fileshare.
-sap_hana_install_copy_sarfiles: no
+sap_hana_install_copy_sarfiles: false
 
-# Set the following variable to `yes` if you want to keep the copied SAR files. By default, the SAR files will be
+# Set the following variable to `true` if you want to keep the copied SAR files. By default, the SAR files will be
 # removed after extraction.
-sap_hana_install_keep_copied_sarfiles: no
+sap_hana_install_keep_copied_sarfiles: false
 
 # File name of SAPCAR*EXE in the software directory. If the variable is not set and there is more than one SAPCAR executable
 # in the software directory, the latest SAPCAR executable for the CPU architecture will be selected automatically.
@@ -30,9 +30,9 @@ sap_hana_install_keep_copied_sarfiles: no
 #  - SAPHOSTAGENT54_54-80004822.SAR
 #  - IMDB_SERVER20_060_0-80002031.SAR
 
-# Set the following variable to `yes` to let the role abort if checksum verification fails for any SAPCAR or SAR file
+# Set the following variable to `true` to let the role abort if checksum verification fails for any SAPCAR or SAR file
 # called or used by the role.
-sap_hana_install_verify_checksums: no
+sap_hana_install_verify_checksums: false
 
 # Checksum algorithm for checksum verification. Default is sha256, for which a checksum is available in the SAP software
 # download pages.
@@ -41,9 +41,9 @@ sap_hana_install_checksum_algorithm: sha256
 # In case a global checksum file is present, use the following variable to specify the full path to this file:
 #sap_hana_install_global_checksum_file: "{{ sap_hana_install_software_directory }}/SHA256"
 
-# Set the following variable to `yes` to let hdbclm verify SAR file signatures. This corresponds to the hdblcm command line
+# Set the following variable to `true` to let hdbclm verify SAR file signatures. This corresponds to the hdblcm command line
 # argument `--verify_signature`.
-sap_hana_install_verify_signature: no
+sap_hana_install_verify_signature: false
 
 # hdblcm configfile related variables:
 # Directory where to store the hdblcm configfile template and the Jinja2 template:
@@ -57,31 +57,31 @@ sap_hana_install_local_configfile_directory: '/tmp'
 
 # If you would like to perform an installation check after the installation, set the following variable to 'yes'.
 # Note: This only works if there is no static configfile available in sap_hana_install_configfile_directory.
-sap_hana_install_check_installation: no
+sap_hana_install_check_installation: false
 
-# Only if sap_hana_install_check_installation (above) is set to 'yes', you can select which command to use by setting the
-# following variable to `yes` or `no`.
+# Only if sap_hana_install_check_installation (above) is set to 'true', you can select which command to use by setting the
+# following variable to `true` or `false`.
 # yes: use the command 'hdbcheck', with parameters `--remote_execution=ssh` and `--scope=system`
 # no: use the command `hdblcm --action=check_installation`
-sap_hana_install_use_hdbcheck: yes
+sap_hana_install_use_hdbcheck: true
 
-# If the following variable is set to `no`, the role will attempt to install SAP HANA even if there is already a sidadm user.
-# Default is `yes`.
-sap_hana_install_check_sidadm_user: yes
+# If the following variable is set to `false`, the role will attempt to install SAP HANA even if there is already a sidadm user.
+# Default is `true`.
+sap_hana_install_check_sidadm_user: true
 
-# If the following variable is undefined or set to `yes`, the role will perform a fresh SAP HANA installation.
-# If set to `no`, additional hosts as specified by variable sap_hana_install_addhosts will be added to
+# If the following variable is undefined or set to `true`, the role will perform a fresh SAP HANA installation.
+# If set to `false`, additional hosts as specified by variable sap_hana_install_addhosts will be added to
 # an existing HANA system.
-sap_hana_install_new_system: yes
+sap_hana_install_new_system: true
 
 # The first tenant database is using a port range not within the range of the ports of additional tenant databases.
 # In case this is not desired, you can set the following parameter to `yes` to recreate the initial tenant database.
-sap_hana_install_recreate_tenant_database: no
+sap_hana_install_recreate_tenant_database: false
 
 # The following parameter controls if the log_mode should be set to overwrite following the installation of the database.
 # log_mode overwrite is useful in non-prod testing as log backups are not created and disk use is kept low
 # However, log_mode overwrite disabled to ability to do point-in-time restores and is not supported in production
-sap_hana_set_log_mode_overwrite: no
+sap_hana_set_log_mode_overwrite: false
 
 ################
 # Parameters for hdblcm:
@@ -123,7 +123,7 @@ sap_hana_install_use_master_password: 'y'
 #sap_hana_install_xs_org_password:
 
 # Optional steps
-sap_hana_install_update_firewall: no
+sap_hana_install_update_firewall: false
 
 # List of firewall ports for SAP HANA. Note: The structure of the variable is compatible
 # with the variable `firewall` of Linux System Role `firewall`.
@@ -156,7 +156,7 @@ sap_hana_install_hdbuserstore_key: 'HDB_SYSTEMDB'
 sap_hana_install_nw_input_location: '/tmp'
 
 # License
-sap_hana_install_apply_license: no
+sap_hana_install_apply_license: false
 #sap_hana_install_license_path:
 #sap_hana_install_license_file_name:
 
diff --git a/ansible/playbooks/roles/sap_hana_install/tasks/post_install/firewall.yml b/ansible/playbooks/roles/sap_hana_install/tasks/post_install/firewall.yml
@@ -1,11 +1,11 @@
 ---
 
-- name: SAP HANA Post Install - Enable and start the firewalld service
-  ansible.builtin.systemd:
-    name: firewalld
-    state: started
-    enabled: yes
-  tags: sap_hana_install_configure_firewall
+# - name: SAP HANA Post Install - Enable and start the firewalld service
+#   ansible.builtin.systemd:
+#     name: firewalld
+#     state: started
+#     enabled: true
+#   tags: sap_hana_install_configure_firewall
 
 - name: SAP HANA Post Install - Construct the argument list for 'firewall-cmd --add-port'
   ansible.builtin.set_fact:
@@ -37,12 +37,12 @@
 # of the no-changed-when rule, we just set changed_when to true here.
 - name: SAP HANA Post Install - Enable the required ports immediately
   ansible.builtin.command: "{{ __sap_hana_install_fact_firewall_cmd_command }}"
-  changed_when: yes
+  changed_when: true
   tags: sap_hana_install_configure_firewall
 
 - name: SAP HANA Post Install - Get the current firewall configuration of the default zone
   ansible.builtin.command: firewall-cmd --list-all
-  changed_when: no
+  changed_when: false
   register: __sap_hana_install_register_current_firewall_ports
   tags: sap_hana_install_configure_firewall
 
@@ -56,12 +56,12 @@
 # of the no-changed-when rule, we just set changed_when to true here.
 - name: SAP HANA Post Install - Enable the required ports permanently
   ansible.builtin.command: "{{ __sap_hana_install_fact_firewall_cmd_command }} --permanent"
-  changed_when: yes
+  changed_when: true
   tags: sap_hana_install_configure_firewall
 
 - name: SAP HANA Post Install - Get the permanent firewall configuration of the default zone
   ansible.builtin.command: firewall-cmd --list-all
-  changed_when: no
+  changed_when: false
   register: __sap_hana_install_register_permanent_firewall_ports
   tags: sap_hana_install_configure_firewall
 
diff --git a/ansible/playbooks/roles/sap_hana_install/tasks/pre_install/prepare_sarfiles.yml b/ansible/playbooks/roles/sap_hana_install/tasks/pre_install/prepare_sarfiles.yml
@@ -37,7 +37,7 @@
 
   when: sap_hana_install_sarfiles is not defined
 
-- name: Copy SAR files to final destination if 'sap_hana_install_copy_sarfiles' is 'yes'
+- name: Copy SAR files to final destination if 'sap_hana_install_copy_sarfiles' is 'true'
   block:
 
     - name: SAP HANA hdblcm prepare - Create directory '{{ sap_hana_install_software_extract_directory }}/sarfiles'
diff --git a/ansible/playbooks/sap-hana-preconfigure.yaml b/ansible/playbooks/sap-hana-preconfigure.yaml
@@ -24,6 +24,7 @@
     use_connecttimeout: 10
     saptune_solution: HANA
     cluster_node: true
+    firewall_cfg: 'ignore'
 
   tasks:
     # Ensure required installation of required packages
@@ -75,6 +76,39 @@
         state: present
       when: cluster_node | bool
 
+    - name: Validate firewall_cfg
+      ansible.builtin.assert:
+        that:
+          - firewall_cfg is defined
+          - firewall_cfg in ['ignore', 'enable', 'disable']
+        fail_msg: "Variable 'firewall_cfg' must be 'ignore', 'enable' or 'disable'. Found '{{ firewall_cfg }}'"
+
+    - name: Get service facts
+      ansible.builtin.service_facts:
+
+    - name: Debug firewall status on specific OS version
+      ansible.builtin.debug:
+        msg:
+          - "[OSADO][softfail] bsc#1254356"
+          - "The firewalld service is not stopped and disabled on this system."
+      when:
+        - ansible_distribution_major_version == '16'
+        - firewall_cfg != 'ignore'  # avoid to hide the bug by forcing the firewall state
+        - "'firewalld' in ansible_facts.services"
+        - ansible_facts.services['firewalld'].state != 'stopped' or ansible_facts.services['firewalld'].status != 'disabled'
+
+    - name: Set firewall service state and enabled status
+      ansible.builtin.set_fact:
+        firewall_service_state: "{{ 'started' if firewall_cfg == 'enable' else 'stopped' }}"
+        firewall_service_enabled: "{{ 'yes' if firewall_cfg == 'enable' else 'no' }}"
+
+    - name: Configure the firewall service state
+      ansible.builtin.systemd:
+        name: firewalld
+        state: "{{ firewall_service_state }}"
+        enabled: "{{ firewall_service_enabled }}"
+      when: firewall_cfg != 'ignore'
+
     - name: Configure sapconf based systems
       ansible.builtin.include_tasks: ./tasks/sapconf.yaml
       when: use_sapconf | bool
