linux-system-roles
diff --git a/‎README.md‎
Lines changed: 26 additions & 0 deletions b/‎README.md‎
Lines changed: 26 additions & 0 deletions
diff --git a/‎library/ha_cluster_info.py‎
Lines changed: 115 additions & 0 deletions b/‎library/ha_cluster_info.py‎
Lines changed: 115 additions & 0 deletions
diff --git a/‎module_utils/ha_cluster_lsr/info/exporter.py‎
Lines changed: 108 additions & 1 deletion b/‎module_utils/ha_cluster_lsr/info/exporter.py‎
Lines changed: 108 additions & 1 deletion
@@ -1574,8 +1574,18 @@ Note that depending on pcs version installed on managed nodes, certain variables
 may not be present in the export.
 
 * Following variables are present in the export:
+  * [`ha_cluster_enable_repos`](#ha_cluster_enable_repos) - RHEL and CentOS only
+  * [`ha_cluster_enable_repos_resilient_storage`](#ha_cluster_enable_repos_resilient_storage) -
+    RHEL and CentOS only
+  * [`ha_cluster_manage_firewall`](#ha_cluster_manage_firewall) (requires
+    `python3-firewall` to be installed on managed nodes)
+  * [`ha_cluster_manage_selinux`](#ha_cluster_manage_selinux) (requires
+    `python3-policycoreutils` to be installed on managed nodes)
   * [`ha_cluster_cluster_present`](#ha_cluster_cluster_present)
   * [`ha_cluster_start_on_boot`](#ha_cluster_start_on_boot)
+  * [`ha_cluster_install_cloud_agents`](#ha_cluster_install_cloud_agents) -
+    RHEL and CentOS only
+  * [`ha_cluster_pcs_permission_list`](#ha_cluster_pcs_permission_list)
   * [`ha_cluster_cluster_name`](#ha_cluster_cluster_name)
   * [`ha_cluster_transport`](#ha_cluster_transport)
   * [`ha_cluster_totem`](#ha_cluster_totem)
@@ -1588,13 +1598,29 @@ may not be present in the export.
   * [`ha_cluster_hacluster_password`](#ha_cluster_hacluster_password) - This is
     a mandatory variable for the role but it cannot be extracted from existing
     clusters.
+  * [`ha_cluster_hacluster_qdevice_password`](#ha_cluster_hacluster_qdevice_password) -
+    Cannot be extracted from existing clusters.
+  * [`ha_cluster_fence_agent_packages`](#ha_cluster_fence_agent_packages)
+  * [`ha_cluster_extra_packages`](#ha_cluster_extra_packages) - Cannot be
+    extracted from existing clusters.
+  * [`ha_cluster_use_latest_packages`](#ha_cluster_use_latest_packages) - It is
+    your responsibility to decide if you want to upgrade cluster packages to
+    their latest version.
   * [`ha_cluster_corosync_key_src`](#ha_cluster_corosync_key_src),
     [`ha_cluster_pacemaker_key_src`](#ha_cluster_pacemaker_key_src) and
     [`ha_cluster_fence_virt_key_src`](#ha_cluster_fence_virt_key_src) - These
     are supposed to contain paths to files with the keys. Since the keys
     themselves are not exported, these variables are not present in the export
     either. Corosync and pacemaker keys are supposed to be unique for each
     cluster.
+  * [`ha_cluster_pcsd_public_key_src` and `ha_cluster_pcsd_private_key_src`](#ha_cluster_pcsd_public_key_src-ha_cluster_pcsd_private_key_src) -
+    These are supposed to contain paths to files with TLS certificate and
+    private key for pcsd. Since the certificate and key themselves are not
+    exported, these variables are not present in the export either.
+  * [`ha_cluster_pcsd_certificates`](#ha_cluster_pcsd_certificates) - The value
+    of this variable is set to the variable `certificate_requests` in the
+    `certificate` role. See the `certificate` role documentation to check if it
+    provides any means for exporting configuration.
   * [`ha_cluster_regenerate_keys`](#ha_cluster_regenerate_keys) - It is your
     responsibility to decide if you want to use existing keys or generate new
     ones.
 
@@ -27,6 +27,8 @@
 requirements:
     - pcs-0.10.8 or newer installed on managed nodes
     - pcs-0.10.8 or newer for exporting corosync configuration
+    - python3-firewall for exporting ha_cluster_manage_firewall
+    - python3-policycoreutils for exporting ha_cluster_manage_selinux
     - python 3.6 or newer
 """
 
@@ -49,8 +51,14 @@
           certain variables may not be exported.
         - HORIZONTALLINE
         - Following variables are present in the output
+        - ha_cluster_enable_repos
+        - ha_cluster_enable_repos_resilient_storage
+        - ha_cluster_manage_firewall
+        - ha_cluster_manage_selinux
         - ha_cluster_cluster_present
         - ha_cluster_start_on_boot
+        - ha_cluster_install_cloud_agents
+        - ha_cluster_pcs_permission_list
         - ha_cluster_cluster_name
         - ha_cluster_transport
         - ha_cluster_totem
@@ -64,9 +72,16 @@
         - HORIZONTALLINE
         - Following variables are never present in this module output (consult
           the role documentation for impact of the variables missing)
+        - ha_cluster_fence_agent_packages
+        - ha_cluster_extra_packages
+        - ha_cluster_use_latest_packages
+        - ha_cluster_hacluster_qdevice_password
         - ha_cluster_corosync_key_src
         - ha_cluster_pacemaker_key_src
         - ha_cluster_fence_virt_key_src
+        - ha_cluster_pcsd_public_key_src
+        - ha_cluster_pcsd_private_key_src
+        - ha_cluster_pcsd_certificates
         - ha_cluster_regenerate_keys
         - HORIZONTALLINE
 """
@@ -78,6 +93,34 @@
 # pylint: disable=no-name-in-module
 from ansible.module_utils.ha_cluster_lsr.info import exporter, loader
 
+try:
+    # firewall module doesn't provide type hints
+    from firewall.client import FirewallClient  # type:ignore
+
+    HAS_FIREWALL = True
+except ImportError:
+    # create the class so it can be replaced by a mock in unit tests
+    class FirewallClient:  # type: ignore
+        # pylint: disable=missing-class-docstring
+        # pylint: disable=too-few-public-methods
+        pass
+
+    HAS_FIREWALL = False
+
+try:
+    # selinux module doesn't provide type hints
+    from seobject import portRecords as SelinuxPortRecords  # type: ignore
+
+    HAS_SELINUX = True
+except ImportError:
+    # create the class so it can be replaced by a mock in unit tests
+    class SelinuxPortRecords:  # type: ignore
+        # pylint: disable=missing-class-docstring
+        # pylint: disable=too-few-public-methods
+        pass
+
+    HAS_SELINUX = False
+
 
 def get_cmd_runner(module: AnsibleModule) -> loader.CommandRunner:
     """
@@ -94,6 +137,74 @@ def runner(
     return runner
 
 
+def export_os_configuration(module: AnsibleModule) -> Dict[str, Any]:
+    """
+    Export OS configuration managed by the role
+    """
+    result: dict[str, Any] = dict()
+    cmd_runner = get_cmd_runner(module)
+
+    if loader.is_rhel_or_clone():
+        # The role only enables repos on RHEL and SLES.
+        dnf_repolist = loader.get_dnf_repolist(cmd_runner)
+        if dnf_repolist is not None:
+            result["ha_cluster_enable_repos"] = exporter.export_enable_repos_ha(
+                dnf_repolist
+            )
+            result["ha_cluster_enable_repos_resilient_storage"] = (
+                exporter.export_enable_repos_rs(dnf_repolist)
+            )
+
+        # Cloud agent packages are only handled on RHEL.
+        installed_packages = loader.get_rpm_installed_packages(cmd_runner)
+        if installed_packages is not None:
+            result["ha_cluster_install_cloud_agents"] = (
+                exporter.export_install_cloud_agents(installed_packages)
+            )
+
+    if HAS_FIREWALL:
+        fw_client = FirewallClient()
+        fw_config = loader.get_firewall_config(fw_client)
+        manage_firewall = False
+        if fw_config is not None:
+            manage_firewall = exporter.export_manage_firewall(fw_config)
+            result["ha_cluster_manage_firewall"] = manage_firewall
+
+        # ha_cluster_manage_selinux is irrelevant when running the role if
+        # ha_cluster_manage_firewall is not True
+        if HAS_SELINUX and manage_firewall:
+            selinux_ports = SelinuxPortRecords()
+            ha_ports_firewall = loader.get_firewall_ha_cluster_ports(fw_client)
+            ha_ports_selinux = loader.get_selinux_ha_cluster_ports(
+                selinux_ports
+            )
+            if ha_ports_firewall is not None and ha_ports_selinux is not None:
+                result["ha_cluster_manage_selinux"] = (
+                    exporter.export_manage_selinux(
+                        ha_ports_firewall, ha_ports_selinux
+                    )
+                )
+
+    return result
+
+
+def export_pcsd_configuration() -> Dict[str, Any]:
+    """
+    Export pcsd configuration managed by the role
+    """
+    result: dict[str, Any] = dict()
+
+    pcsd_settings_dict = loader.get_pcsd_settings_conf()
+    if pcsd_settings_dict is not None:
+        pcs_permissions = exporter.export_pcs_permission_list(
+            pcsd_settings_dict
+        )
+        if pcs_permissions is not None:
+            result["ha_cluster_pcs_permission_list"] = pcs_permissions
+
+    return result
+
+
 def export_cluster_configuration(module: AnsibleModule) -> Dict[str, Any]:
     """
     Export existing HA cluster configuration
@@ -156,9 +267,13 @@ def main() -> None:
 
     try:
         if loader.has_corosync_conf():
+            ha_cluster_result.update(**export_os_configuration(module))
+            ha_cluster_result.update(**export_pcsd_configuration())
             ha_cluster_result.update(**export_cluster_configuration(module))
             ha_cluster_result["ha_cluster_cluster_present"] = True
         else:
+            # Exporting qnetd configuration will be added later here. It will
+            # probably call export_os and export_pcsd.
             ha_cluster_result["ha_cluster_cluster_present"] = False
         module.exit_json(**module_result)
     except exporter.JsonMissingKey as e:
 
@@ -12,7 +12,7 @@
 __metaclass__ = type
 
 from contextlib import contextmanager
-from typing import Any, Dict, Iterator, List
+from typing import Any, Dict, Iterator, List, Optional, Tuple
 
 
 class JsonMissingKey(Exception):
@@ -48,6 +48,55 @@ def _handle_missing_key(data: Dict[str, Any], data_desc: str) -> Iterator[None]:
         raise JsonMissingKey(e.args[0], data, data_desc) from e
 
 
+def export_enable_repos_ha(dnf_repolist: str) -> bool:
+    """
+    Check whether high availability repository is enabled based on dnf repolist
+
+    dnf_repolist -- text output of 'dnf repolist'
+    """
+    repo_strings = ["highavailability", "HighAvailability"]
+    return any(repo in dnf_repolist for repo in repo_strings)
+
+
+def export_enable_repos_rs(dnf_repolist: str) -> bool:
+    """
+    Check whether resilient storage repository is enabled based on dnf repolist
+
+    dnf_repolist -- text output of 'dnf repolist'
+    """
+    repo_strings = ["resilientstorage"]
+    return any(repo in dnf_repolist for repo in repo_strings)
+
+
+def export_install_cloud_agents(installed_packages: List[str]) -> bool:
+    """
+    Check whether cloud agent packages are installed
+
+    installed packages -- list of names of installed packages
+    """
+    # List of cloud agent packages is taken from vars/RedHat_*.yml and
+    # vars/CentOS_*.yml
+    # They are hardcoded here to avoid dependency on pyyaml which may or may
+    # not be available.
+    # We don't need to check for architecture - a package not available for an
+    # architecture will never be listed as installed on that architecture.
+    cloud_agent_packages = {
+        "fence-agents-aliyun",
+        "fence-agents-aws",
+        "fence-agents-azure-arm",
+        "fence-agents-compute",
+        "fence-agents-gce",
+        "fence-agents-ibm-powervs",
+        "fence-agents-ibm-vpc",
+        "fence-agents-kubevirt",
+        "fence-agents-openstack",
+        "resource-agents-aliyun",
+        "resource-agents-cloud",
+        "resource-agents-gcp",
+    }
+    return bool(cloud_agent_packages.intersection(installed_packages))
+
+
 def export_start_on_boot(
     corosync_enabled: bool, pacemaker_enabled: bool
 ) -> bool:
@@ -57,6 +106,35 @@ def export_start_on_boot(
     return corosync_enabled or pacemaker_enabled
 
 
+def export_manage_firewall(zone_config: Dict[str, Any]) -> bool:
+    """
+    Export whether HA cluster is enabled in firewall
+
+    zone_config -- configuration of a firewall zone
+    """
+    return (
+        "high-availability" in zone_config["services"]
+        or ("1229", "tcp") in zone_config["ports"]
+    )
+
+
+def export_manage_selinux(
+    ha_ports_used: List[Tuple[str, str]],
+    ha_ports_selinux: Tuple[List[str], List[str]],
+) -> bool:
+    """
+    Export whether HA cluster ports are managed by selinux
+
+    ha_ports_used -- ports used by HA cluster
+    ha_ports_selinux -- ports labelled for HA cluster in selinux
+    """
+    # convert selinux ports to the same format as used ports
+    ports_selinux_tuples = [(port, "tcp") for port in ha_ports_selinux[0]] + [
+        (port, "udp") for port in ha_ports_selinux[1]
+    ]
+    return bool(frozenset(ports_selinux_tuples) & frozenset(ha_ports_used))
+
+
 def export_corosync_cluster_name(corosync_conf_dict: Dict[str, Any]) -> str:
     """
     Extract cluster name form corosync config in pcs format
@@ -167,3 +245,32 @@ def export_cluster_nodes(
             # finish one node export
             node_list.append(one_node)
         return node_list
+
+
+def export_pcs_permission_list(
+    pcs_settings_conf_dict: Dict[str, Any],
+) -> Optional[List[Dict[str, Any]]]:
+    """
+    Extract local cluster permissions from pcs_settings config or None on error
+
+    pcs_settings -- JSON parsed pcs_settings.conf
+    """
+    # Currently, only format version 2 is in use, so we don't check for file
+    # format version
+    result: List[Dict[str, Any]] = []
+    with _handle_missing_key(pcs_settings_conf_dict, "pcs_settings.conf"):
+        permission_dict = pcs_settings_conf_dict["permissions"]
+        if not isinstance(permission_dict, dict):
+            return None
+        permission_list = permission_dict["local_cluster"]
+        if not isinstance(permission_list, list):
+            return None
+        for permission_item in permission_list:
+            result.append(
+                {
+                    "type": permission_item["type"],
+                    "name": permission_item["name"],
+                    "allow_list": list(permission_item["allow"]),
+                }
+            )
+        return result