Firewall config

ansible/playbooks/roles/sap_hana_install/README.md

@@ -140,7 +140,8 @@ or if it will add further hosts to an existing SAP HANA system as specified by v
 `sap_hana_install_addhosts`. Default is `yes` for a fresh SAP HANA installation.
 
 The role can be configured to also set the required firewall ports for SAP HANA. If this is desired, set
-the variable `sap_hana_install_update_firewall` to `yes` (default is `no`). The firewall ports are defined
+the variable `sap_hana_install_update_firewall` to `yes` (default is `no`, that means the role will not touch
+any firewall related system settings, leaving whatever the system has unchanged). The firewall ports are defined
 in a variable which is compatible with the variable structure used by Linux System Role `firewall`.
 The firewall ports for SAP HANA are defined in member `port` of the first field of variable
 `sap_hana_install_firewall` (`sap_hana_install_firewall[0].port`), see file `defaults/main.yml`. If the

ansible/playbooks/roles/sap_hana_install/tasks/post_install/firewall.yml

@@ -1,10 +1,18 @@
 ---
 
-- name: SAP HANA Post Install - Enable and start the firewalld service
-  ansible.builtin.systemd:
-    name: firewalld
-    state: started
-    enabled: yes
+# Controlled by sap-hana-preconfigure.yaml playbook
+#- name: SAP HANA Post Install - Enable and start the firewalld service
+#  ansible.builtin.systemd:
+#    name: firewalld
+#    state: started
+#    enabled: yes
+#  tags: sap_hana_install_configure_firewall
+
+- name: SAP HANA Post Install - Set LogDenied to all in firewalld.conf
+  ansible.builtin.lineinfile:
+    path: /etc/firewalld/firewalld.conf
+    regexp: '^LogDenied=off'
+    line: 'LogDenied=all'
   tags: sap_hana_install_configure_firewall
 
 - name: SAP HANA Post Install - Construct the argument list for 'firewall-cmd --add-port'
@@ -37,12 +45,12 @@
 # of the no-changed-when rule, we just set changed_when to true here.
 - name: SAP HANA Post Install - Enable the required ports immediately
   ansible.builtin.command: "{{ __sap_hana_install_fact_firewall_cmd_command }}"
   changed_when: yes
   tags: sap_hana_install_configure_firewall
 
 - name: SAP HANA Post Install - Get the current firewall configuration of the default zone
   ansible.builtin.command: firewall-cmd --list-all
   changed_when: no
   register: __sap_hana_install_register_current_firewall_ports
   tags: sap_hana_install_configure_firewall
 
@@ -56,12 +64,12 @@
 # of the no-changed-when rule, we just set changed_when to true here.
 - name: SAP HANA Post Install - Enable the required ports permanently
   ansible.builtin.command: "{{ __sap_hana_install_fact_firewall_cmd_command }} --permanent"
   changed_when: yes
   tags: sap_hana_install_configure_firewall
 
 - name: SAP HANA Post Install - Get the permanent firewall configuration of the default zone
   ansible.builtin.command: firewall-cmd --list-all
   changed_when: no
   register: __sap_hana_install_register_permanent_firewall_ports
   tags: sap_hana_install_configure_firewall
 
@@ -69,3 +77,16 @@
   ansible.builtin.debug:
     var: __sap_hana_install_register_permanent_firewall_ports.stdout_lines
   tags: sap_hana_install_configure_firewall
+
+- name: SAP HANA Post Install - Add SELinux port labels
+  # Note: The 'semanage port' command uses a dash '-' to define port ranges,
+  #       e.g., 'semanage port -a -t sap_port_t -p tcp 30000-30010'
+  ansible.builtin.command: "semanage port -a -t sap_port_t -p {{ item.split('/')[1] }} {{ item.split('/')[0] }}"
+  loop: "{{ sap_hana_install_firewall[0].port }}"
+  when: sap_hana_install_firewall[0].state == 'enabled'
+  register: __sap_hana_install_register_semanage_ports
+  changed_when: __sap_hana_install_register_semanage_ports.rc == 0
+  failed_when:
+    - __sap_hana_install_register_semanage_ports.rc != 0
+    - "'Port is already defined' not in __sap_hana_install_register_semanage_ports.stderr"
+  tags: sap_hana_install_configure_firewall

ansible/playbooks/sap-hana-preconfigure.yaml

@@ -24,6 +24,7 @@
     use_connecttimeout: 10
     saptune_solution: HANA
     cluster_node: true
+    firewall_cfg: 'ignore'
 
   tasks:
     # Ensure required installation of required packages
@@ -75,6 +76,39 @@
         state: present
       when: cluster_node | bool
 
+    - name: Validate firewall_cfg
+      ansible.builtin.assert:
+        that:
+          - firewall_cfg is defined
+          - firewall_cfg in ['ignore', 'enable', 'disable']
+        fail_msg: "Variable 'firewall_cfg' must be 'ignore', 'enable' or 'disable'. Found '{{ firewall_cfg }}'"
+
+    - name: Get service facts
+      ansible.builtin.service_facts:
+
+    - name: Debug firewall status on specific OS version
+      ansible.builtin.debug:
+        msg:
+          - "[OSADO][softfail] bsc#1254356"
+          - "The firewalld service is not stopped and disabled on this system."
+      when:
+        - ansible_distribution_major_version == '16'
+        - firewall_cfg != 'ignore'  # avoid to hide the bug by forcing the firewall state
+        - "'firewalld' in ansible_facts.services"
+        - ansible_facts.services['firewalld'].state != 'stopped' or ansible_facts.services['firewalld'].status != 'disabled'
+
+    - name: Set firewall service state and enabled status
+      ansible.builtin.set_fact:
+        firewall_service_state: "{{ 'started' if firewall_cfg == 'enable' else 'stopped' }}"
+        firewall_service_enabled: "{{ 'yes' if firewall_cfg == 'enable' else 'no' }}"
+
+    - name: Configure the firewall service state
+      ansible.builtin.systemd:
+        name: firewalld
+        state: "{{ firewall_service_state }}"
+        enabled: "{{ firewall_service_enabled }}"
+      when: firewall_cfg != 'ignore'
+
     - name: Configure sapconf based systems
       ansible.builtin.include_tasks: ./tasks/sapconf.yaml
       when: use_sapconf | bool