Refactor firewall management

Introduces a new variable `firewall_cfg` in the `sap-hana-preconfigure`
playbook to provide more explicit control over the firewalld service.
This new variable allows to 'enable', 'disable', or 'ignore' the
firewall configuration.
The `sap_hana_install` role is updated to delegate the firewall
service management to the preconfigure playbook, avoiding conflicts
and centralizing the configuration.
The documentation has been updated to reflect these changes.
Softfail for bsc#1254356 in 16.0

Author: mpagot

ansible/playbooks/roles/sap_hana_install/README.md

@@ -140,7 +140,8 @@ or if it will add further hosts to an existing SAP HANA system as specified by v
 `sap_hana_install_addhosts`. Default is `yes` for a fresh SAP HANA installation.
 
 The role can be configured to also set the required firewall ports for SAP HANA. If this is desired, set
-the variable `sap_hana_install_update_firewall` to `yes` (default is `no`). The firewall ports are defined
+the variable `sap_hana_install_update_firewall` to `true` (default is `false` that means the role will not touch
+any firewall related system settings, leaving whatever the system has unchanged). The firewall ports are defined
 in a variable which is compatible with the variable structure used by Linux System Role `firewall`.
 The firewall ports for SAP HANA are defined in member `port` of the first field of variable
 `sap_hana_install_firewall` (`sap_hana_install_firewall[0].port`), see file `defaults/main.yml`. If the
@@ -257,7 +258,7 @@ You can find more complex playbooks in directory `playbooks` of the collection `
     - Extract all SAR files into `sap_hana_install_software_extract_directory`.
 
 Note: For each SAPCAR or SAR file called or used by the role, if variable `sap_hana_install_verify_checksums`
-is set to `yes`, the role will perform a checksum verification against a specific or global checksum file.
+is set to `true`, the role will perform a checksum verification against a specific or global checksum file.
 
 - Check existence of `hdblcm` in `SAP_HANA_DATABASE` directory from the extracted SAR files.
 
@@ -327,7 +328,7 @@ With the following tags, the role can be called to perform certain activities on
   with `--skip-tags`, to skip modifying these directories. This can be useful when using tag
   `sap_hana_install_preinstall`.
 - tag `sap_hana_install_configure_firewall`: Use this flag to only configure the firewall ports for
-  SAP HANA. Note: The role variable `sap_hana_install_update_firewall` has to be set to `yes` as
+  SAP HANA. Note: The role variable `sap_hana_install_update_firewall` has to be set to `true` as
   well.
 - tag `sap_hana_install_extract_sarfiles`: Use this flag with `--skip-tags` to run the SAR file
   preparation steps of tag `sap_hana_install_prepare_sarfiles` without extracting the SAR files.

ansible/playbooks/roles/sap_hana_install/defaults/main.yml

@@ -11,39 +11,39 @@ sap_hana_install_software_directory: '/software/hana'
 # created again before the extraction starts.
 sap_hana_install_software_extract_directory: "{{ sap_hana_install_software_directory }}/extracted"
 
-# Set this variabe to `yes` if you want to copy the SAR files from `sap_hana_install_software_directory`
+# Set this variabe to `true` if you want to copy the SAR files from `sap_hana_install_software_directory`
 # to `sap_hana_install_software_extract_directory/sarfiles` before extracting.
 # This might be useful if the SAR files are on a slow fileshare.
-sap_hana_install_copy_sarfiles: no
+sap_hana_install_copy_sarfiles: false
 
-# Set the following variable to `yes` if you want to keep the copied SAR files. By default, the SAR files will be
+# Set the following variable to `true` if you want to keep the copied SAR files. By default, the SAR files will be
 # removed after extraction.
-sap_hana_install_keep_copied_sarfiles: no
+sap_hana_install_keep_copied_sarfiles: false
 
 # File name of SAPCAR*EXE in the software directory. If the variable is not set and there is more than one SAPCAR executable
 # in the software directory, the latest SAPCAR executable for the CPU architecture will be selected automatically.
-#sap_hana_install_sapcar_filename: SAPCAR_1115-70006178.EXE
+# sap_hana_install_sapcar_filename: SAPCAR_1115-70006178.EXE
 
 # List of file names of SAR files to extract. Can be set in case there are more SAR files in the software directory
 # than needed or desired for the HANA installation.
-#sap_hana_install_sarfiles:
-#  - SAPHOSTAGENT54_54-80004822.SAR
-#  - IMDB_SERVER20_060_0-80002031.SAR
+# sap_hana_install_sarfiles:
+#   - SAPHOSTAGENT54_54-80004822.SAR
+#   - IMDB_SERVER20_060_0-80002031.SAR
 
-# Set the following variable to `yes` to let the role abort if checksum verification fails for any SAPCAR or SAR file
+# Set the following variable to `true` to let the role abort if checksum verification fails for any SAPCAR or SAR file
 # called or used by the role.
-sap_hana_install_verify_checksums: no
+sap_hana_install_verify_checksums: false
 
 # Checksum algorithm for checksum verification. Default is sha256, for which a checksum is available in the SAP software
 # download pages.
 sap_hana_install_checksum_algorithm: sha256
 
 # In case a global checksum file is present, use the following variable to specify the full path to this file:
-#sap_hana_install_global_checksum_file: "{{ sap_hana_install_software_directory }}/SHA256"
+# sap_hana_install_global_checksum_file: "{{ sap_hana_install_software_directory }}/SHA256"
 
-# Set the following variable to `yes` to let hdbclm verify SAR file signatures. This corresponds to the hdblcm command line
+# Set the following variable to `true` to let hdbclm verify SAR file signatures. This corresponds to the hdblcm command line
 # argument `--verify_signature`.
-sap_hana_install_verify_signature: no
+sap_hana_install_verify_signature: false
 
 # hdblcm configfile related variables:
 # Directory where to store the hdblcm configfile template and the Jinja2 template:
@@ -57,31 +57,31 @@ sap_hana_install_local_configfile_directory: '/tmp'
 
 # If you would like to perform an installation check after the installation, set the following variable to 'yes'.
 # Note: This only works if there is no static configfile available in sap_hana_install_configfile_directory.
-sap_hana_install_check_installation: no
+sap_hana_install_check_installation: false
 
-# Only if sap_hana_install_check_installation (above) is set to 'yes', you can select which command to use by setting the
-# following variable to `yes` or `no`.
+# Only if sap_hana_install_check_installation (above) is set to 'true', you can select which command to use by setting the
+# following variable to `true` or `false`.
 # yes: use the command 'hdbcheck', with parameters `--remote_execution=ssh` and `--scope=system`
 # no: use the command `hdblcm --action=check_installation`
-sap_hana_install_use_hdbcheck: yes
+sap_hana_install_use_hdbcheck: true
 
-# If the following variable is set to `no`, the role will attempt to install SAP HANA even if there is already a sidadm user.
-# Default is `yes`.
-sap_hana_install_check_sidadm_user: yes
+# If the following variable is set to `false`, the role will attempt to install SAP HANA even if there is already a sidadm user.
+# Default is `true`.
+sap_hana_install_check_sidadm_user: true
 
-# If the following variable is undefined or set to `yes`, the role will perform a fresh SAP HANA installation.
-# If set to `no`, additional hosts as specified by variable sap_hana_install_addhosts will be added to
+# If the following variable is undefined or set to `true`, the role will perform a fresh SAP HANA installation.
+# If set to `false`, additional hosts as specified by variable sap_hana_install_addhosts will be added to
 # an existing HANA system.
-sap_hana_install_new_system: yes
+sap_hana_install_new_system: true
 
 # The first tenant database is using a port range not within the range of the ports of additional tenant databases.
 # In case this is not desired, you can set the following parameter to `yes` to recreate the initial tenant database.
-sap_hana_install_recreate_tenant_database: no
+sap_hana_install_recreate_tenant_database: false
 
 # The following parameter controls if the log_mode should be set to overwrite following the installation of the database.
 # log_mode overwrite is useful in non-prod testing as log backups are not created and disk use is kept low
 # However, log_mode overwrite disabled to ability to do point-in-time restores and is not supported in production
-sap_hana_set_log_mode_overwrite: no
+sap_hana_install_set_log_mode_overwrite: false
 
 ################
 # Parameters for hdblcm:
@@ -91,8 +91,8 @@ sap_hana_set_log_mode_overwrite: no
 sap_hana_install_components: 'all'
 
 # Pass some extra arguments to hdblcm, see some examples below.
-#sap_hana_install_hdblcm_extraargs: '--verify_signature'
-#sap_hana_install_hdblcm_extraargs: '--ignore=check_diskspace,check_min_mem'
+# sap_hana_install_hdblcm_extraargs: '--verify_signature'
+# sap_hana_install_hdblcm_extraargs: '--ignore=check_diskspace,check_min_mem'
 
 # Instance details
 sap_hana_install_sid:
@@ -105,25 +105,25 @@ sap_hana_install_restrict_max_mem: 'n'
 sap_hana_install_max_mem:
 
 # hdblcm will use default ids if blank
-sap_hana_install_userid: 
+sap_hana_install_userid:
 sap_hana_install_groupid:
 
 # Passwords
 # Setting master password to 'y' will use that master password for all passwords - recommended
 sap_hana_install_use_master_password: 'y'
 # Set one or more of the following password variables in your playbook or inventory.
-#sap_hana_install_master_password:
-#sap_hana_install_sidadm_password:
-#sap_hana_install_db_system_password:
-#sap_hana_install_lss_user_password:
-#sap_hana_install_lss_backup_password:
-#sap_hana_install_ase_user_password:
-#sap_hana_install_root_password:
-#sap_hana_install_sapadm_password:
-#sap_hana_install_xs_org_password:
+# sap_hana_install_master_password:
+# sap_hana_install_sidadm_password:
+# sap_hana_install_db_system_password:
+# sap_hana_install_lss_user_password:
+# sap_hana_install_lss_backup_password:
+# sap_hana_install_ase_user_password:
+# sap_hana_install_root_password:
+# sap_hana_install_sapadm_password:
+# sap_hana_install_xs_org_password:
 
 # Optional steps
-sap_hana_install_update_firewall: no
+sap_hana_install_update_firewall: false
 
 # List of firewall ports for SAP HANA. Note: The structure of the variable is compatible
 # with the variable `firewall` of Linux System Role `firewall`.
@@ -149,16 +149,16 @@ sap_hana_install_firewall:
       state: 'enabled' }
 
 # The following variable is no longer used. Setting /etc/hosts entries is done in role sap_general_preconfigure.
-#sap_hana_install_update_etchosts: yes
+# sap_hana_install_update_etchosts: yes
 
 # Post install parameters
 sap_hana_install_hdbuserstore_key: 'HDB_SYSTEMDB'
 sap_hana_install_nw_input_location: '/tmp'
 
 # License
-sap_hana_install_apply_license: no
-#sap_hana_install_license_path:
-#sap_hana_install_license_file_name:
+sap_hana_install_apply_license: false
+# sap_hana_install_license_path:
+# sap_hana_install_license_file_name:
 
 # Misc
 
@@ -178,7 +178,7 @@ sap_hana_install_create_initial_tenant: 'y'
 # hosts to an existing HANA system.
 # Corresponding hdblcm parameter: addhosts
 # Example:
-#sap_hana_install_addhosts: 'host2:role=worker,host3:role=worker:group=g02,host4:role=standby:group=g02'
+# sap_hana_install_addhosts: 'host2:role=worker,host3:role=worker:group=g02,host4:role=standby:group=g02'
 
 # The hostname is set by 'hdblcm --dump_configfile_template' during the preinstall phase but can also
 # be set to a different value in your playbook or hostvars:

ansible/playbooks/roles/sap_hana_install/tasks/main.yml

@@ -2,12 +2,12 @@
 
 - name: Rename some variables used by hdblcm configfile
   ansible.builtin.set_fact:
-    sap_hana_install_sid: "{{ sap_hana_sid|d(sap_hana_install_sid)|d('') }}"
-    sap_hana_install_number: "{{ sap_hana_instance_number|d(sap_hana_install_instance_number|d(sap_hana_install_number)|d('')) }}"
-    sap_hana_install_master_password: "{{ sap_hana_install_common_master_password|d(sap_hana_install_master_password) }}"
-    sap_hana_install_system_usage: "{{ sap_hana_install_env_type|d(sap_hana_install_system_usage) }}"
-    sap_hana_install_restrict_max_mem: "{{ sap_hana_install_mem_restrict|d(sap_hana_install_restrict_max_mem) }}"
-    sap_hana_set_log_mode_overwrite: "{{ sap_hana_set_log_mode_overwrite|default (true)}}"
+    sap_hana_install_sid: "{{ sap_hana_sid | d(sap_hana_install_sid) | d('') }}"
+    sap_hana_install_number: "{{ sap_hana_instance_number | d(sap_hana_install_instance_number | d(sap_hana_install_number) | d('')) }}"
+    sap_hana_install_master_password: "{{ sap_hana_install_common_master_password | d(sap_hana_install_master_password) }}"
+    sap_hana_install_system_usage: "{{ sap_hana_install_env_type | d(sap_hana_install_system_usage) }}"
+    sap_hana_install_restrict_max_mem: "{{ sap_hana_install_mem_restrict | d(sap_hana_install_restrict_max_mem) }}"
+    sap_hana_install_set_log_mode_overwrite: "{{ sap_hana_install_set_log_mode_overwrite | default(true) }}"
   tags:
     - sap_hana_install_preinstall
     - sap_hana_install_set_log_mode

ansible/playbooks/roles/sap_hana_install/tasks/post_install/firewall.yml

@@ -1,11 +1,11 @@
 ---
 
-- name: SAP HANA Post Install - Enable and start the firewalld service
-  ansible.builtin.systemd:
-    name: firewalld
-    state: started
-    enabled: yes
-  tags: sap_hana_install_configure_firewall
+# - name: SAP HANA Post Install - Enable and start the firewalld service
+#   ansible.builtin.systemd:
+#     name: firewalld
+#     state: started
+#     enabled: true
+#   tags: sap_hana_install_configure_firewall
 
 - name: SAP HANA Post Install - Construct the argument list for 'firewall-cmd --add-port'
   ansible.builtin.set_fact:
@@ -37,12 +37,12 @@
 # of the no-changed-when rule, we just set changed_when to true here.
 - name: SAP HANA Post Install - Enable the required ports immediately
   ansible.builtin.command: "{{ __sap_hana_install_fact_firewall_cmd_command }}"
-  changed_when: yes
+  changed_when: true
   tags: sap_hana_install_configure_firewall
 
 - name: SAP HANA Post Install - Get the current firewall configuration of the default zone
   ansible.builtin.command: firewall-cmd --list-all
-  changed_when: no
+  changed_when: false
   register: __sap_hana_install_register_current_firewall_ports
   tags: sap_hana_install_configure_firewall
 
@@ -56,12 +56,12 @@
 # of the no-changed-when rule, we just set changed_when to true here.
 - name: SAP HANA Post Install - Enable the required ports permanently
   ansible.builtin.command: "{{ __sap_hana_install_fact_firewall_cmd_command }} --permanent"
-  changed_when: yes
+  changed_when: true
   tags: sap_hana_install_configure_firewall
 
 - name: SAP HANA Post Install - Get the permanent firewall configuration of the default zone
   ansible.builtin.command: firewall-cmd --list-all
-  changed_when: no
+  changed_when: false
   register: __sap_hana_install_register_permanent_firewall_ports
   tags: sap_hana_install_configure_firewall
 

ansible/playbooks/roles/sap_hana_install/tasks/post_install/log_mode.yml

@@ -18,15 +18,15 @@
     executable: /bin/bash
   become: true
   become_user: "{{ sap_hana_install_sid | lower }}adm"
-  when: 
+  when:
     - not ansible_check_mode
-    - sap_hana_set_log_mode_overwrite
-  changed_when: no
+    - sap_hana_install_set_log_mode_overwrite
+  changed_when: false
   register: __sap_hana_install_hdbsql_logmode
   tags: sap_hana_install_set_log_mode
 
 - name: SAP HANA Post Install - Display the output of hdbsql
   ansible.builtin.debug:
     var: __sap_hana_install_hdbsql_logmode.stdout_lines
   tags: sap_hana_install_set_log_mode
-  when: sap_hana_set_log_mode_overwrite
+  when: sap_hana_install_set_log_mode_overwrite

ansible/playbooks/roles/sap_hana_install/tasks/pre_install/prepare_sarfiles.yml

@@ -16,37 +16,35 @@
   when: sap_hana_install_sarfiles is defined
 
 - name: SAP HANA hdblcm prepare - Find all SAR files if 'sap_hana_install_sarfiles' is undefined
+  when: sap_hana_install_sarfiles is not defined
   block:
-
     - name: SAP HANA hdblcm prepare - Find all SAR files in '{{ sap_hana_install_software_directory }}'
       ansible.builtin.find:
         paths: "{{ sap_hana_install_software_directory }}"
-        recurse: no
+        recurse: false
         file_type: file
         patterns: '*.SAR'
       register: __sap_hana_install_register_find_sarfiles
 
     - name: SAP HANA hdblcm prepare - Create list of file names from the find result
       ansible.builtin.set_fact:
-        __sap_hana_install_fact_sarfiles: "{{ __sap_hana_install_fact_sarfiles|d([]) + [ item.path | basename ] }}"
+        __sap_hana_install_fact_sarfiles: "{{ __sap_hana_install_fact_sarfiles | d([]) + [item.path | basename] }}"
       loop: "{{ __sap_hana_install_register_find_sarfiles.files }}"
 
     - name: Display the resulting list of file names after find
       ansible.builtin.debug:
         var: __sap_hana_install_fact_sarfiles
 
-  when: sap_hana_install_sarfiles is not defined
-
-- name: Copy SAR files to final destination if 'sap_hana_install_copy_sarfiles' is 'yes'
+- name: Copy SAR files to final destination if 'sap_hana_install_copy_sarfiles' is 'true'
+  when: sap_hana_install_copy_sarfiles
   block:
-
-    - name: SAP HANA hdblcm prepare - Create directory '{{ sap_hana_install_software_extract_directory }}/sarfiles'
+    - name: SAP HANA hdblcm prepare - Create directory ./sarfiles
       ansible.builtin.file:
         path: "{{ sap_hana_install_software_extract_directory }}/sarfiles"
         state: directory
         mode: '0755'
 
-    - name: SAP HANA hdblcm prepare - Copy SAR files to '{{ sap_hana_install_software_extract_directory }}/sarfiles'
+    - name: SAP HANA hdblcm prepare - Copy SAR files to ./sarfiles
       ansible.builtin.copy:
         src: "{{ sap_hana_install_software_directory }}/{{ item }}"
         dest: "{{ sap_hana_install_software_extract_directory }}/sarfiles/{{ item }}"
@@ -60,11 +58,10 @@
       ansible.builtin.set_fact:
         __sap_hana_install_fact_sar_dir: "{{ sap_hana_install_software_extract_directory }}/sarfiles"
 
-  when: sap_hana_install_copy_sarfiles
 
 - name: SAP HANA hdblcm prepare - Fill list of dicts containing dir, file, and global checksum file
   ansible.builtin.set_fact:
-    __sap_hana_install_fact_sarfiles_dict: "{{ __sap_hana_install_fact_sarfiles_dict|d([]) + [ __sap_hana_install_tmp_sarfiles_dict ] }}"
+    __sap_hana_install_fact_sarfiles_dict: "{{ __sap_hana_install_fact_sarfiles_dict | d([]) + [__sap_hana_install_tmp_sarfiles_dict] }}"
   with_items: "{{ __sap_hana_install_fact_sarfiles }}"
   vars:
     __sap_hana_install_tmp_sarfiles_dict:
@@ -75,7 +72,7 @@
 
 - name: SAP HANA hdblcm prepare - Fill list of dicts containing dir, file, and specific checksum file
   ansible.builtin.set_fact:
-    __sap_hana_install_fact_sarfiles_dict: "{{ __sap_hana_install_fact_sarfiles_dict|d([]) + [ __sap_hana_install_tmp_sarfiles_dict ] }}"
+    __sap_hana_install_fact_sarfiles_dict: "{{ __sap_hana_install_fact_sarfiles_dict | d([]) + [__sap_hana_install_tmp_sarfiles_dict] }}"
   with_items: "{{ __sap_hana_install_fact_sarfiles }}"
   vars:
     __sap_hana_install_tmp_sarfiles_dict:
@@ -104,7 +101,7 @@
     - not ansible_check_mode
   tags: sap_hana_install_extract_sarfiles
 
-- name: SAP HANA hdblcm prepare - Remove temporary SAR file directory '{{ sap_hana_install_software_extract_directory }}/sarfiles'
+- name: SAP HANA hdblcm prepare - Remove temporary SAR file directory ./sarfiles
   ansible.builtin.file:
     path: "{{ sap_hana_install_software_extract_directory }}/sarfiles/"
     state: absent