From 592680f51fc416e117b243c9c55fc84037e55185 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mon, 9 Dec 2019 19:19:20 +0200
Subject: [PATCH] Install and enable firewalld if it is configured for
 ipareplica role

ipareplica role by default tries to configure firewalld but it didn't
check if firewalld related packages were installed.

Similar to DNS and trust to AD features, install firewalld-related
packages before trying to configure firewalld.

Additionally, enable and start firewalld.service because otherwise
firewall-cmd cannot communicate with firewalld itself (it is not
starting on demand).

If and administrator considers not to use firewalld, a default for
ipareplica_setup_firewalld variable has to be set to 'no'.

Fixes: https://github.com/freeipa/ansible-freeipa/issues/116
---
 README.md                            |  1 +
 roles/ipareplica/tasks/install.yml   | 13 +++++++++++++
 roles/ipareplica/vars/CentOS-7.yml   |  3 ++-
 roles/ipareplica/vars/Fedora-25.yml  |  3 ++-
 roles/ipareplica/vars/Fedora-26.yml  |  3 ++-
 roles/ipareplica/vars/Fedora-27.yml  |  3 ++-
 roles/ipareplica/vars/Fedora.yml     |  3 ++-
 roles/ipareplica/vars/RedHat-7.3.yml |  3 ++-
 roles/ipareplica/vars/RedHat-7.yml   |  3 ++-
 roles/ipareplica/vars/RedHat-8.yml   |  1 +
 roles/ipareplica/vars/Ubuntu.yml     |  1 +
 roles/ipareplica/vars/default.yml    |  1 +
 12 files changed, 31 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index f0c995f0..4f90ac2f 100644
--- a/README.md
+++ b/README.md
@@ -231,6 +231,7 @@ ipareplica_setup_firewalld=no
 ```
 
 The installation of packages and also the configuration of the firewall are by default enabled.
+Note that it is not enough to mask systemd firewalld service to skip the firewalld configuration. You need to set the variable to `no`.
 
 For more replica settings, please have a look at the [replica role documentation](roles/ipareplica/README.md).
 
diff --git a/roles/ipareplica/tasks/install.yml b/roles/ipareplica/tasks/install.yml
index 259ae3fb..98681e06 100644
--- a/roles/ipareplica/tasks/install.yml
+++ b/roles/ipareplica/tasks/install.yml
@@ -20,6 +20,19 @@
       state: present
     when: ipareplica_setup_adtrust | bool
 
+  - name: Install - Ensure that firewall packages installed
+    package:
+      name: "{{ ipareplica_packages_firewalld }}"
+      state: present
+    when: ipareplica_setup_firewalld | bool
+
+  - name: Firewalld service - Ensure that firewalld is running
+    systemd:
+      name: firewalld
+      enabled: yes
+      state: started
+    when: ipareplica_setup_firewalld | bool
+
   when: ipareplica_install_packages | bool
 
 #- name: Install - Include Python2/3 import test
diff --git a/roles/ipareplica/vars/CentOS-7.yml b/roles/ipareplica/vars/CentOS-7.yml
index 2baa874f..614de3e5 100644
--- a/roles/ipareplica/vars/CentOS-7.yml
+++ b/roles/ipareplica/vars/CentOS-7.yml
@@ -2,4 +2,5 @@
 # vars/RedHat-7.yml
 ipareplica_packages: [ "ipa-server", "libselinux-python" ]
 ipareplica_packages_dns: [ "ipa-server-dns" ]
-ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipareplica/vars/Fedora-25.yml b/roles/ipareplica/vars/Fedora-25.yml
index f1dc77f6..ce981ff8 100644
--- a/roles/ipareplica/vars/Fedora-25.yml
+++ b/roles/ipareplica/vars/Fedora-25.yml
@@ -2,4 +2,5 @@
 # vars/Fedora-25.yml
 ipareplica_packages: [ "ipa-server", "libselinux-python" ]
 ipareplica_packages_dns: [ "ipa-server-dns" ]
-ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipareplica/vars/Fedora-26.yml b/roles/ipareplica/vars/Fedora-26.yml
index a5250267..5a65e43a 100644
--- a/roles/ipareplica/vars/Fedora-26.yml
+++ b/roles/ipareplica/vars/Fedora-26.yml
@@ -2,4 +2,5 @@
 # vars/Fedora-26.yml
 ipareplica_packages: [ "ipa-server", "libselinux-python" ]
 ipareplica_packages_dns: [ "ipa-server-dns" ]
-ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipareplica/vars/Fedora-27.yml b/roles/ipareplica/vars/Fedora-27.yml
index f4e7ffcc..5d6f02a1 100644
--- a/roles/ipareplica/vars/Fedora-27.yml
+++ b/roles/ipareplica/vars/Fedora-27.yml
@@ -2,4 +2,5 @@
 # vars/Fedora.yml
 ipareplica_packages: [ "ipa-server", "libselinux-python" ]
 ipareplica_packages_dns: [ "ipa-server-dns" ]
-ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipareplica/vars/Fedora.yml b/roles/ipareplica/vars/Fedora.yml
index 5998d6de..f19fb996 100644
--- a/roles/ipareplica/vars/Fedora.yml
+++ b/roles/ipareplica/vars/Fedora.yml
@@ -2,4 +2,5 @@
 # vars/Fedora.yml
 ipareplica_packages: [ "freeipa-server", "python3-libselinux" ]
 ipareplica_packages_dns: [ "freeipa-server-dns" ]
-ipareplica_packages_adtrust: [ "freeipa-server-trust-ad" ]
\ No newline at end of file
+ipareplica_packages_adtrust: [ "freeipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipareplica/vars/RedHat-7.3.yml b/roles/ipareplica/vars/RedHat-7.3.yml
index f7a951bc..a0e7ffea 100644
--- a/roles/ipareplica/vars/RedHat-7.3.yml
+++ b/roles/ipareplica/vars/RedHat-7.3.yml
@@ -2,4 +2,5 @@
 # vars/RedHat-7.3.yml
 ipareplica_packages: [ "ipa-server", "libselinux-python" ]
 ipareplica_packages_dns: [ "ipa-server-dns" ]
-ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipareplica/vars/RedHat-7.yml b/roles/ipareplica/vars/RedHat-7.yml
index 2baa874f..614de3e5 100644
--- a/roles/ipareplica/vars/RedHat-7.yml
+++ b/roles/ipareplica/vars/RedHat-7.yml
@@ -2,4 +2,5 @@
 # vars/RedHat-7.yml
 ipareplica_packages: [ "ipa-server", "libselinux-python" ]
 ipareplica_packages_dns: [ "ipa-server-dns" ]
-ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipareplica/vars/RedHat-8.yml b/roles/ipareplica/vars/RedHat-8.yml
index 2aad358b..02573025 100644
--- a/roles/ipareplica/vars/RedHat-8.yml
+++ b/roles/ipareplica/vars/RedHat-8.yml
@@ -3,3 +3,4 @@
 ipareplica_packages: [ "@idm:DL1/server" ]
 ipareplica_packages_dns: [ "@idm:DL1/dns" ]
 ipareplica_packages_adtrust: [ "@idm:DL1/adtrust" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
diff --git a/roles/ipareplica/vars/Ubuntu.yml b/roles/ipareplica/vars/Ubuntu.yml
index 761989a6..7cdabbfb 100644
--- a/roles/ipareplica/vars/Ubuntu.yml
+++ b/roles/ipareplica/vars/Ubuntu.yml
@@ -2,3 +2,4 @@
 ipareplica_packages: [ "freeipa-server" ]
 ipareplica_packages_dns: [ "freeipa-server-dns" ]
 ipareplica_packages_adtrust: [ "freeipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
diff --git a/roles/ipareplica/vars/default.yml b/roles/ipareplica/vars/default.yml
index a1898867..ce7393a1 100644
--- a/roles/ipareplica/vars/default.yml
+++ b/roles/ipareplica/vars/default.yml
@@ -3,3 +3,4 @@
 ipareplica_packages: [ "freeipa-server", "python3-libselinux" ]
 ipareplica_packages_dns: [ "freeipa-server-dns" ]
 ipareplica_packages_adtrust: [ "freeipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
-- 
GitLab