feat: ha_cluster_info: export firewall and selinux

Author: tomjelinek

README.md

@@ -1577,6 +1577,10 @@ may not be present in the export.
   * [`ha_cluster_enable_repos`](#ha_cluster_enable_repos) - RHEL and CentOS only
   * [`ha_cluster_enable_repos_resilient_storage`](#ha_cluster_enable_repos_resilient_storage) -
     RHEL and CentOS only
+  * [`ha_cluster_manage_firewall`](#ha_cluster_manage_firewall) (requires
+    `python3-firewall` to be installed on managed nodes)
+  * [`ha_cluster_manage_selinux`](#ha_cluster_manage_selinux) (requires
+    `python3-policycoreutils` to be installed on managed nodes)
   * [`ha_cluster_cluster_present`](#ha_cluster_cluster_present)
   * [`ha_cluster_start_on_boot`](#ha_cluster_start_on_boot)
   * [`ha_cluster_install_cloud_agents`](#ha_cluster_install_cloud_agents) -
@@ -1613,6 +1617,10 @@ may not be present in the export.
     These are supposed to contain paths to files with TLS certificate and
     private key for pcsd. Since the certificate and key themselves are not
     exported, these variables are not present in the export either.
+  * [`ha_cluster_pcsd_certificates`](#ha_cluster_pcsd_certificates) - The value
+    of this variable is set to the variable `certificate_requests` in the
+    `certificate` role. See the `certificate` role documentation to check if it
+    provides any means for exporting configuration.
   * [`ha_cluster_regenerate_keys`](#ha_cluster_regenerate_keys) - It is your
     responsibility to decide if you want to use existing keys or generate new
     ones.

library/ha_cluster_info.py

@@ -27,6 +27,8 @@
 requirements:
     - pcs-0.10.8 or newer installed on managed nodes
     - pcs-0.10.8 or newer for exporting corosync configuration
+    - python3-firewall for exporting ha_cluster_manage_firewall
+    - python3-policycoreutils for exporting ha_cluster_manage_selinux
     - python 3.6 or newer
 """
 
@@ -51,6 +53,8 @@
         - Following variables are present in the output
         - ha_cluster_enable_repos
         - ha_cluster_enable_repos_resilient_storage
+        - ha_cluster_manage_firewall
+        - ha_cluster_manage_selinux
         - ha_cluster_cluster_present
         - ha_cluster_start_on_boot
         - ha_cluster_install_cloud_agents
@@ -77,6 +81,7 @@
         - ha_cluster_fence_virt_key_src
         - ha_cluster_pcsd_public_key_src
         - ha_cluster_pcsd_private_key_src
+        - ha_cluster_pcsd_certificates
         - ha_cluster_regenerate_keys
         - HORIZONTALLINE
 """
@@ -88,6 +93,34 @@
 # pylint: disable=no-name-in-module
 from ansible.module_utils.ha_cluster_lsr.info import exporter, loader
 
+try:
+    # firewall module doesn't provide type hints
+    from firewall.client import FirewallClient  # type:ignore
+
+    HAS_FIREWALL = True
+except ImportError:
+    # create the class so it can be replaced by a mock in unit tests
+    class FirewallClient:  # type: ignore
+        # pylint: disable=missing-class-docstring
+        # pylint: disable=too-few-public-methods
+        pass
+
+    HAS_FIREWALL = False
+
+try:
+    # selinux module doesn't provide type hints
+    from seobject import portRecords as SelinuxPortRecords  # type: ignore
+
+    HAS_SELINUX = True
+except ImportError:
+    # create the class so it can be replaced by a mock in unit tests
+    class SelinuxPortRecords:  # type: ignore
+        # pylint: disable=missing-class-docstring
+        # pylint: disable=too-few-public-methods
+        pass
+
+    HAS_SELINUX = False
+
 
 def get_cmd_runner(module: AnsibleModule) -> loader.CommandRunner:
     """
@@ -129,6 +162,29 @@ def export_os_configuration(module: AnsibleModule) -> Dict[str, Any]:
                 exporter.export_install_cloud_agents(installed_packages)
             )
 
+    if HAS_FIREWALL:
+        fw_client = FirewallClient()
+        fw_config = loader.get_firewall_config(fw_client)
+        manage_firewall = False
+        if fw_config is not None:
+            manage_firewall = exporter.export_manage_firewall(fw_config)
+            result["ha_cluster_manage_firewall"] = manage_firewall
+
+        # ha_cluster_manage_selinux is irrelevant when running the role if
+        # ha_cluster_manage_firewall is not True
+        if HAS_SELINUX and manage_firewall:
+            selinux_ports = SelinuxPortRecords()
+            ha_ports_firewall = loader.get_firewall_ha_cluster_ports(fw_client)
+            ha_ports_selinux = loader.get_selinux_ha_cluster_ports(
+                selinux_ports
+            )
+            if ha_ports_firewall is not None and ha_ports_selinux is not None:
+                result["ha_cluster_manage_selinux"] = (
+                    exporter.export_manage_selinux(
+                        ha_ports_firewall, ha_ports_selinux
+                    )
+                )
+
     return result
 
 

module_utils/ha_cluster_lsr/info/exporter.py

@@ -12,7 +12,7 @@
 __metaclass__ = type
 
 from contextlib import contextmanager
-from typing import Any, Dict, Iterator, List, Optional
+from typing import Any, Dict, Iterator, List, Optional, Tuple
 
 
 class JsonMissingKey(Exception):
@@ -106,6 +106,35 @@ def export_start_on_boot(
     return corosync_enabled or pacemaker_enabled
 
 
+def export_manage_firewall(zone_config: Dict[str, Any]) -> bool:
+    """
+    Export whether HA cluster is enabled in firewall
+
+    zone_config -- configuration of a firewall zone
+    """
+    return (
+        "high-availability" in zone_config["services"]
+        or ("1229", "tcp") in zone_config["ports"]
+    )
+
+
+def export_manage_selinux(
+    ha_ports_used: List[Tuple[str, str]],
+    ha_ports_selinux: Tuple[List[str], List[str]],
+) -> bool:
+    """
+    Export whether HA cluster ports are managed by selinux
+
+    ha_ports_used -- ports used by HA cluster
+    ha_ports_selinux -- ports labelled for HA cluster in selinux
+    """
+    # convert selinux ports to the same format as used ports
+    ports_selinux_tuples = [(port, "tcp") for port in ha_ports_selinux[0]] + [
+        (port, "udp") for port in ha_ports_selinux[1]
+    ]
+    return bool(frozenset(ports_selinux_tuples) & frozenset(ha_ports_used))
+
+
 def export_corosync_cluster_name(corosync_conf_dict: Dict[str, Any]) -> str:
     """
     Extract cluster name form corosync config in pcs format

module_utils/ha_cluster_lsr/info/loader.py

@@ -147,6 +147,67 @@ def is_service_enabled(run_command: CommandRunner, service: str) -> bool:
     return rc == 0
 
 
+def get_firewall_config(
+    fw: Any,  # firewall module doesn't provide type hints
+) -> Optional[Dict[str, Any]]:
+    """
+    Get simplified firewall config of a given zone or None on error
+
+    fw -- firewall client instance
+    """
+    try:
+        settings = fw.config().getZoneByName(fw.getDefaultZone()).getSettings()
+        return {
+            "services": settings.getServices(),
+            "ports": settings.getPorts(),
+        }
+    # pylint: disable=broad-exception-caught
+    # catch any exception, firewall is not installed or not running, etc.
+    except Exception:
+        return None
+
+
+def get_firewall_ha_cluster_ports(
+    fw: Any,  # firewall module doesn't provide type hints
+) -> Optional[List[Tuple[str, str]]]:
+    """
+    Get ports used by HA cluster or None on error
+
+    fw -- firewall client instance
+    """
+    try:
+        return (
+            fw.config()
+            .getServiceByName("high-availability")
+            .getSettings()
+            .getPorts()
+        )
+    # pylint: disable=broad-exception-caught
+    # catch any exception, firewall is not installed or not running, etc.
+    except Exception:
+        return None
+
+
+def get_selinux_ha_cluster_ports(
+    selinux_ports: Any,  # selinux module doesn't provide type hints
+) -> Optional[Tuple[List[str], List[str]]]:
+    """
+    Get TCP and UDP ports labelled for HA cluster in selinux or None on error
+
+    selinux_ports -- selinux port records instance
+    """
+    try:
+        all_ports = selinux_ports.get_all_by_type()
+        return (
+            all_ports.get(("cluster_port_t", "tcp"), []),
+            all_ports.get(("cluster_port_t", "udp"), []),
+        )
+    # pylint: disable=broad-exception-caught
+    # catch any exception, selinux not available, etc.
+    except Exception:
+        return None
+
+
 def _call_pcs_cli(
     run_command: CommandRunner, command: List[str]
 ) -> Dict[str, Any]:

tests/tests_cluster_advanced_knet_full.yml

@@ -132,6 +132,8 @@
                 ha_cluster_facts | combine({
                   'ha_cluster_enable_repos': 'it depends on test environment',
                   'ha_cluster_enable_repos_resilient_storage': 'it depends on test environment',
+                  'ha_cluster_manage_firewall': 'it depends on test environment',
+                  'ha_cluster_manage_selinux': 'it depends on test environment',
                   'ha_cluster_install_cloud_agents': 'it depends on test environment',
                   'ha_cluster_node_options': 'it depends on test environment'
                 })
@@ -166,6 +168,8 @@
                   allow_list: ["grant", "read", "write"]
               ha_cluster_enable_repos: "it depends on test environment"
               ha_cluster_enable_repos_resilient_storage: "it depends on test environment"
+              ha_cluster_manage_firewall: "it depends on test environment"
+              ha_cluster_manage_selinux: "it depends on test environment"
               ha_cluster_install_cloud_agents: "it depends on test environment"
               ha_cluster_node_options: "it depends on test environment"
           block:

tests/tests_cluster_advanced_knet_implicit.yml

@@ -70,6 +70,8 @@
                 ha_cluster_facts | combine({
                   'ha_cluster_enable_repos': 'it depends on test environment',
                   'ha_cluster_enable_repos_resilient_storage': 'it depends on test environment',
+                  'ha_cluster_manage_firewall': 'it depends on test environment',
+                  'ha_cluster_manage_selinux': 'it depends on test environment',
                   'ha_cluster_install_cloud_agents': 'it depends on test environment',
                   'ha_cluster_node_options': 'it depends on test environment'
                 })
@@ -87,6 +89,8 @@
                   allow_list: ["grant", "read", "write"]
               ha_cluster_enable_repos: "it depends on test environment"
               ha_cluster_enable_repos_resilient_storage: "it depends on test environment"
+              ha_cluster_manage_firewall: "it depends on test environment"
+              ha_cluster_manage_selinux: "it depends on test environment"
               ha_cluster_install_cloud_agents: "it depends on test environment"
               ha_cluster_node_options: "it depends on test environment"
           block:

tests/tests_cluster_advanced_udp_full.yml

@@ -94,6 +94,8 @@
                 ha_cluster_facts | combine({
                   'ha_cluster_enable_repos': 'it depends on test environment',
                   'ha_cluster_enable_repos_resilient_storage': 'it depends on test environment',
+                  'ha_cluster_manage_firewall': 'it depends on test environment',
+                  'ha_cluster_manage_selinux': 'it depends on test environment',
                   'ha_cluster_install_cloud_agents': 'it depends on test environment',
                   'ha_cluster_node_options': 'it depends on test environment'
                 })
@@ -111,6 +113,8 @@
                   allow_list: ["grant", "read", "write"]
               ha_cluster_enable_repos: "it depends on test environment"
               ha_cluster_enable_repos_resilient_storage: "it depends on test environment"
+              ha_cluster_manage_firewall: "it depends on test environment"
+              ha_cluster_manage_selinux: "it depends on test environment"
               ha_cluster_install_cloud_agents: "it depends on test environment"
               ha_cluster_node_options: "it depends on test environment"
           block:

tests/tests_cluster_basic.yml

@@ -120,6 +120,8 @@
                 ha_cluster_facts | combine({
                   'ha_cluster_enable_repos': 'it depends on test environment',
                   'ha_cluster_enable_repos_resilient_storage': 'it depends on test environment',
+                  'ha_cluster_manage_firewall': 'it depends on test environment',
+                  'ha_cluster_manage_selinux': 'it depends on test environment',
                   'ha_cluster_install_cloud_agents': 'it depends on test environment',
                   'ha_cluster_node_options': 'it depends on test environment'
                 })
@@ -141,6 +143,8 @@
                   allow_list: ["grant", "read", "write"]
               ha_cluster_enable_repos: "it depends on test environment"
               ha_cluster_enable_repos_resilient_storage: "it depends on test environment"
+              ha_cluster_manage_firewall: "it depends on test environment"
+              ha_cluster_manage_selinux: "it depends on test environment"
               ha_cluster_install_cloud_agents: "it depends on test environment"
               ha_cluster_node_options: "it depends on test environment"
           block:

tests/tests_cluster_basic_cloud_packages.yml

@@ -66,6 +66,8 @@
                 ha_cluster_facts | combine({
                   'ha_cluster_enable_repos': 'it depends on test environment',
                   'ha_cluster_enable_repos_resilient_storage': 'it depends on test environment',
+                  'ha_cluster_manage_firewall': 'it depends on test environment',
+                  'ha_cluster_manage_selinux': 'it depends on test environment',
                   'ha_cluster_node_options': 'it depends on test environment'
                 })
               }}
@@ -87,6 +89,8 @@
                   allow_list: ["grant", "read", "write"]
               ha_cluster_enable_repos: "it depends on test environment"
               ha_cluster_enable_repos_resilient_storage: "it depends on test environment"
+              ha_cluster_manage_firewall: "it depends on test environment"
+              ha_cluster_manage_selinux: "it depends on test environment"
               ha_cluster_node_options: "it depends on test environment"
           block:
             - name: Print exported configuration

tests/tests_cluster_basic_disabled.yml

@@ -45,6 +45,8 @@
                 ha_cluster_facts | combine({
                   'ha_cluster_enable_repos': 'it depends on test environment',
                   'ha_cluster_enable_repos_resilient_storage': 'it depends on test environment',
+                  'ha_cluster_manage_firewall': 'it depends on test environment',
+                  'ha_cluster_manage_selinux': 'it depends on test environment',
                   'ha_cluster_install_cloud_agents': 'it depends on test environment',
                   'ha_cluster_node_options': 'it depends on test environment'
                 })
@@ -66,6 +68,8 @@
                   allow_list: ["grant", "read", "write"]
               ha_cluster_enable_repos: "it depends on test environment"
               ha_cluster_enable_repos_resilient_storage: "it depends on test environment"
+              ha_cluster_manage_firewall: "it depends on test environment"
+              ha_cluster_manage_selinux: "it depends on test environment"
               ha_cluster_install_cloud_agents: "it depends on test environment"
               ha_cluster_node_options: "it depends on test environment"
           block: