Add disable_firewall variable

Adds a new variable, 'disable_firewall', which defaults to true. If set
to false, then the host firewall will not be disabled during
kolla-ansible bootstrap-servers.

Change-Id: Ie5131013012f89c8c3b91ca359ad17d9cb77efc8
(cherry picked from commit 9fffc7b)

Author: markgoddard

ansible/roles/baremetal/defaults/main.yml

@@ -30,6 +30,9 @@ change_selinux: True
 
 selinux_state: "permissive"
 
+# If true, the host firewall service (firewalld or ufw) will be disabled.
+disable_firewall: True
+
 docker_storage_driver: ""
 docker_custom_option: ""
 docker_custom_config: {}

ansible/roles/baremetal/tasks/install.yml

@@ -6,34 +6,36 @@
   when: ansible_facts.os_family == 'Debian'
 
 # TODO(inc0): Gates don't seem to have ufw executable, check for it instead of ignore errors
-- name: Set firewall default policy
-  become: True
-  ufw:
-    state: disabled
-    policy: allow
-  when: ansible_facts.os_family == 'Debian'
-  ignore_errors: yes
-
-- name: Check if firewalld is installed
-  command: rpm -q firewalld
-  register: firewalld_check
-  changed_when: false
-  failed_when: firewalld_check.rc > 1
-  args:
-    warn: false
-  when: ansible_facts.os_family == 'RedHat'
+- block:
+    - name: Set firewall default policy
+      become: True
+      ufw:
+        state: disabled
+        policy: allow
+      when: ansible_facts.os_family == 'Debian'
+      ignore_errors: yes
+
+    - name: Check if firewalld is installed
+      command: rpm -q firewalld
+      register: firewalld_check
+      changed_when: false
+      failed_when: firewalld_check.rc > 1
+      args:
+        warn: false
+      when: ansible_facts.os_family == 'RedHat'
 
-- name: Disable firewalld
-  become: True
-  service:
-    name: "{{ item }}"
-    enabled: false
-    state: stopped
-  with_items:
-    - firewalld
-  when:
-    - ansible_facts.os_family == 'RedHat'
-    - firewalld_check.rc == 0
+    - name: Disable firewalld
+      become: True
+      service:
+        name: "{{ item }}"
+        enabled: false
+        state: stopped
+      with_items:
+        - firewalld
+      when:
+        - ansible_facts.os_family == 'RedHat'
+        - firewalld_check.rc == 0
+  when: disable_firewall | bool
 
 # Upgrading docker engine may cause containers to stop. Take a snapshot of the
 # running containers prior to a potential upgrade of Docker.

doc/source/reference/deployment-and-bootstrapping/bootstrap-servers.rst

@@ -200,6 +200,8 @@ will be added to allow all traffic.
 
 On Red Hat family systems where firewalld is installed, it will be disabled.
 
+This behaviour can be avoided by setting ``disable_firewall`` to ``false``.
+
 Creation of Python virtual environment
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

releasenotes/notes/disable-firewall-1e1955168c717cb5.yaml

@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Adds a new variable, ``disable_firewall``, which defaults to ``true``. If
+    set to ``false``, then the host firewall will not be disabled during
+    ``kolla-ansible bootstrap-servers``.