Refactor firewall management

Introduces a new variable `firewall_cfg` in the `sap-hana-preconfigure`
playbook to provide more explicit control over the firewalld service.
This new variable allows to 'enable', 'disable', or 'ignore' the
firewall configuration.
The `sap_hana_install` role is updated to delegate the firewall
service management to the preconfigure playbook, avoiding conflicts
and centralizing the configuration.
The documentation has been updated to reflect these changes.

Author: mpagot

ansible/playbooks/roles/sap_hana_install/README.md

@@ -140,7 +140,8 @@ or if it will add further hosts to an existing SAP HANA system as specified by v
 `sap_hana_install_addhosts`. Default is `yes` for a fresh SAP HANA installation.
 
 The role can be configured to also set the required firewall ports for SAP HANA. If this is desired, set
-the variable `sap_hana_install_update_firewall` to `yes` (default is `no`). The firewall ports are defined
+the variable `sap_hana_install_update_firewall` to `yes` (default is `no`, that means the role will not touch
+any firewall related system settings, leaving whatever the system has unchanged). The firewall ports are defined
 in a variable which is compatible with the variable structure used by Linux System Role `firewall`.
 The firewall ports for SAP HANA are defined in member `port` of the first field of variable
 `sap_hana_install_firewall` (`sap_hana_install_firewall[0].port`), see file `defaults/main.yml`. If the

ansible/playbooks/roles/sap_hana_install/tasks/post_install/firewall.yml

@@ -1,11 +1,12 @@
 ---
 
-- name: SAP HANA Post Install - Enable and start the firewalld service
-  ansible.builtin.systemd:
-    name: firewalld
-    state: started
-    enabled: yes
-  tags: sap_hana_install_configure_firewall
+# Controlled by sap-hana-preconfigure.yaml playbook
+#- name: SAP HANA Post Install - Enable and start the firewalld service
+#  ansible.builtin.systemd:
+#    name: firewalld
+#    state: started
+#    enabled: yes
+#  tags: sap_hana_install_configure_firewall
 
 - name: SAP HANA Post Install - Set LogDenied to all in firewalld.conf
   ansible.builtin.lineinfile:

ansible/playbooks/sap-hana-preconfigure.yaml

@@ -24,6 +24,7 @@
     use_connecttimeout: 10
     saptune_solution: HANA
     cluster_node: true
+    firewall_cfg: 'ignore'
 
   tasks:
     # Ensure required installation of required packages
@@ -75,6 +76,39 @@
         state: present
       when: cluster_node | bool
 
+    - name: Validate firewall_cfg
+      ansible.builtin.assert:
+        that:
+          - firewall_cfg is defined
+          - firewall_cfg in ['ignore', 'enable', 'disable']
+        fail_msg: "Variable 'firewall_cfg' must be 'ignore', 'enable' or 'disable'. Found '{{ firewall_cfg }}'"
+
+    - name: Get service facts
+      ansible.builtin.service_facts:
+
+    - name: Debug firewall status on specific OS version
+      ansible.builtin.debug:
+        msg:
+          - "[OSADO][softfail] bsc#1254356"
+          - "The firewalld service is not stopped and disabled on this system."
+      when:
+        - ansible_distribution_major_version == '16'
+        - firewall_cfg != 'ignore'  # avoid to hide the bug by forcing the firewall state
+        - "'firewalld' in ansible_facts.services"
+        - ansible_facts.services['firewalld'].state != 'stopped' or ansible_facts.services['firewalld'].status != 'disabled'
+
+    - name: Set firewall service state and enabled status
+      ansible.builtin.set_fact:
+        firewall_service_state: "{{ 'started' if firewall_cfg == 'enable' else 'stopped' }}"
+        firewall_service_enabled: "{{ 'yes' if firewall_cfg == 'enable' else 'no' }}"
+
+    - name: Configure the firewall service state
+      ansible.builtin.systemd:
+        name: firewalld
+        state: "{{ firewall_service_state }}"
+        enabled: "{{ firewall_service_enabled }}"
+      when: firewall_cfg != 'ignore'
+
     - name: Configure sapconf based systems
       ansible.builtin.include_tasks: ./tasks/sapconf.yaml
       when: use_sapconf | bool