sap_firewall: Complete redesign and rework

[marcelmamula]

Dislaimer

This role will still use existing ansible.posix.firewalld without switching to linux_system_roles.firewall, which needs some care before it can be used.

Changes

This role was completely broken down and rebuilt from ground up to follow Ansible best practices, Ansible 2.20 linting and Project guidelines.

Notable changes:

• Role is now stateful, allowing removal of configuration and idempotency.
• All variables adjusted to conform with their usage and redesigned to fit their purpose - Breaking change for 1.0
• Add much needed validations and asserts
• Separate workflow for predefined presets and custom ports and services.
• Validation for zones and services to avoid posix.firewalld fails.

Tests

This was tested on SLES 15 SP6 and SLES 16.

Further use

@berndfinger @ja9fuchs This will serve as example what I will add to sap_swpm, sap_hana_install and sap_ha_pacemaker_cluster directly in smaller format, without adding extra dependency on sap_operations.

[sean-freeman]

Missing:

• 3NN13 # SAP HANA - System DB SQL
• 3NN15 # SAP HANA - MDC Tenant 1 SQL
• 4NN40 - 4NN97 # SAP HANA xsengine, scriptserver, docstore dynamic range
• 3121 # pacemaker_remote service > https://documentation.suse.com/en-us/sle-ha/12-SP5/html/SLE-HA-all/art-sle-ha-pmremote.html
• 39NN # ERS
• 48NN # PAS GW HTTPS
• 5912 # IBM Db2 Communication Port

Ref >
https://help.sap.com/docs/Security/575a9f0e56f34c6e8138439eefc32b16/616a3c0b1cc748238de9c0341b15c63c.html?locale=en-US

README:

• 3200-3399 should be split in two entries in the README, as 32NN and 33NN
• Would suggest recording the processes where possible, such as....
  • 32NN # SAP NetWeaver ASCS - Dispatcher sapdp<ASCS_NN> process
  • 36NN # SAP NetWeaver ASCS - Message Server sapms process
  • 81NN # SAP NetWeaver ASCS - Message Server HTTP sapms process
  • 39NN # SAP NetWeaver ASCS/ERS - Enqueue Server sapenq process
  • 5NN16 # SAP NetWeaver ASCS - Enqueue Replicator Server sapenqrepl process
  • 5NN13 # SAP NetWeaver ASCS - SAP Start Service (SAPControl SOAP) HTTP sapctrl<ASCS_NN> process
  • 5NN14 # SAP NetWeaver ASCS - SAP Start Service (SAPControl SOAP) HTTPS (Secure) sapctrls<ASCS_NN>

[marcelmamula]

@sean-freeman Thank you Sean. I have added most of them in latest commit with few exceptions like:

• 5912 # IBM Db2 Communication Port, because it would be more suited for dedicated anyDB preset in future, not baseline Netweaver.
• 4NN40 - 4NN97 # SAP HANA xsengine, scriptserver, docstore dynamic range is one of many internal port ranges so we can skip it.

I have gathered some process information and added it to Netweaver preset. I am having issue with my HANA hosts so I was not able to capture rest of them for HANA and HA presets.

[sean-freeman]

LGTM 👍