WIP: It's not a hacky workaround if it works

Alex-Welsh · Alex-Welsh · commit ab7f3018c9dc · 2024-06-10T16:40:40.000+01:00
diff --git a/doc/source/configuration/firewall.rst b/doc/source/configuration/firewall.rst
@@ -253,11 +253,28 @@ VM:
         zone: "{{ admin_oc_net_name | net_zone }}"
         state: disabled
 
-Extra rules have higher precedence than the default rules, but are not
+Extra rules have higher precedence than the default rules but are not
 validated before being applied. Use with caution. If you need to add a custom
 rule, consider adding it to the default rule list with an appropriate boolean
 condition, and where possible merge your changes back into upstream SKC.
 
+Kolla-Ansible configuration
+---------------------------
+
+Ensure Kolla Ansible opens up ports in firewalld for services on the public
+API network:
+
+.. code-block:: yaml
+   :caption: ``etc/kayobe/kolla/globals.yml``
+
+   enable_external_api_firewalld: true
+   external_api_firewalld_zone: "{{ public_net_name | net_zone }}"
+
+Ensure every network in ``networks.yml`` has a zone defined. The standard
+configuration is to set the internal network zone to ``trusted`` and every
+other zone to the name of the network. See
+``etc/kayobe/environments/ci-multinode/networks.yml`` for a practical example.
+
 Validation
 ----------
 
@@ -268,33 +285,55 @@ that will be applied to a host.
 
    kayobe configuration dump --var-name stackhpc_firewalld_rules --limit <host>
 
-If the command above prints a template, rather than a clean list of rules, the
-configuration is invalid. The kayobe configuration dump command can be used on
-other variables such as ``stackhpc_firewalld_rules_default`` or
+A shorter version, ``stackhpc_firewalld_rules_debug`` prints the rules in a
+simplified format:
+
+.. code-block:: bash
+
+   kayobe configuration dump --var-name stackhpc_firewalld_rules_debug --limit <host>
+
+If the commands above print a template, rather than a list of rules, the
+configuration may be invalid. The ``kayobe configuration dump`` command can be
+used on other variables such as ``stackhpc_firewalld_rules_default`` or
 ``stackhpc_*_firewalld_rules_template`` to debug the configuration. See the
 `How it works`_ section for more details.
 
-Kolla-Ansible configuration
----------------------------
+It can be useful to print the active ports on each type of host, to create
+rules for running services. The internal network is currently left open. The
+below command will print all other open ports:
 
-Ensure Kolla Ansible opens up ports in firewalld for services on the public
-API network:
+.. code-block:: bash
 
-.. code-block:: yaml
-   :caption: ``etc/kayobe/kolla/globals.yml``
+   ss -lntpu | grep --invert-match '<internal net ip>'
 
-   enable_external_api_firewalld: true
-   external_api_firewalld_zone: "{{ public_net_name | net_zone }}"
+It is strongly recommended that you dry-run the changes using ``--diff`` and
+``--check`` before applying to a production system:
 
-Ensure every network in ``networks.yml`` has a zone defined. The standard
-configuration is to set the internal network zone to ``trusted`` and every
-other zone to the name of the network. See
-``etc/kayobe/environments/ci-multinode/networks.yml`` for a practical example.
+.. code-block:: bash
+   :caption: ``Overcloud diff example``
+
+   kayobe overcloud host configure -t firewall --diff --check
 
 Applying changes
 ----------------
 
-Use the ``kayobe * host configure`` commands to apply the changes:
+Before applying these changes, you should be completely sure you are not going
+to lock yourself out of any hosts. If you are deploying these changes to a test
+environment, it might be appropriate to set a password on the stack user so
+that you can access the host through a BMC or horizon console.
+
+The following Kayobe command can be used to set a password on all overcloud
+hosts:
+
+.. code-block:: bash
+
+   kayobe overcloud host command run --command "echo 'stack:super-secret-password' | sudo chpasswd" --show-output
+
+Changes should be applied to controllers one at a time to ensure connectivity
+is not lost.
+
+Once you are sure you know what you are doing, use the ``kayobe * host
+configure`` commands to apply the firewall changes:
 
 .. code-block:: bash
 
@@ -304,7 +343,13 @@ Use the ``kayobe * host configure`` commands to apply the changes:
    kayobe seed host configure -t network,firewall
    # For Infrastructure VM hosts
    kayobe infra vm host configure -t network,firewall
-   # For Overcloud hosts
+   # For the First Controller
+   kayobe overcloud host configure -t network,firewall -l controllers[0]
+   # For the Second Controller
+   kayobe overcloud host configure -t network,firewall -l controllers[1]
+   # For the Third Controller
+   kayobe overcloud host configure -t network,firewall -l controllers[2]
+   # For the rest of the Overcloud hosts
    kayobe overcloud host configure -t network,firewall
 
 How it works
diff --git a/etc/kayobe/environments/ci-multinode/inventory/group_vars/all/firewall.yml b/etc/kayobe/environments/ci-multinode/inventory/group_vars/all/firewall.yml
@@ -0,0 +1,7 @@
+---
+
+stackhpc_firewalld_rules_extra:
+  - port: "{{ vxlan_dstport }}/udp"
+    network: "{{ admin_oc_net_name }}"
+    zone: "{{ admin_oc_net_name | net_zone }}"
+    state: enabled
diff --git a/etc/kayobe/environments/ci-multinode/networks.yml b/etc/kayobe/environments/ci-multinode/networks.yml
@@ -72,7 +72,7 @@ storage_mgmt_net_name: storage_mgmt
 # Network definitions.
 
 # Admin overcloud network
-admin_oc_zone: "trusted"
+admin_oc_zone: "admin_oc"
 
 # Internal network
 internal_cidr: 192.168.37.0/24
diff --git a/etc/kayobe/inventory/group_vars/all/firewall b/etc/kayobe/inventory/group_vars/all/firewall
@@ -48,17 +48,19 @@ stackhpc_firewalld_rules_default: |
   {% if rule.zone is not defined %}
   {% set rule = rule | combine({'zone': rule.network | net_zone }) %}
   {% endif %}
+  {% if rule not in stackhpc_firewalld_rules_formatted %}
   {% if rule | ansible.utils.remove_keys('state') in stackhpc_firewalld_rules_formatted | map('ansible.utils.remove_keys', 'state') %}
-  {% set stackhpc_firewalld_rules_formatted = 'Invalid configuration! Two matching firewalld rules probably exist with different states' + 1 %}
+  {% set _ = stackhpc_firewalld_rules_formatted.append({'state':'failure'}) %}
   {% elif rule.network is not defined %}
   {% set _ = stackhpc_firewalld_rules_formatted.append(rule) %}
   {% elif rule.network in network_interfaces and rule.network | net_zone %}
   {% set _ = stackhpc_firewalld_rules_formatted.append(rule) %}
   {% endif %}
+  {% endif %}
   {% endfor %}
   {% endif %}
   {% endfor %}
-  {{ stackhpc_firewalld_rules_formatted }}
+  {{ undef(hint='ERROR: Conflicting firewall rules found') if ({'state':'failure'} in stackhpc_firewalld_rules_formatted) else stackhpc_firewalld_rules_formatted }}
 
 stackhpc_firewalld_rules_template: |
   {{ stackhpc_common_firewalld_rules_template +
@@ -71,6 +73,23 @@ stackhpc_firewalld_rules_template: |
      (stackhpc_wazuh_manager_infra_vm_firewalld_rules_template if 'wazuh-manager' in group_names else []) +
      (stackhpc_ansible_control_infra_vm_firewalld_rules_template if inventory_hostname == 'localhost' else []) }}
 
+###############################################################################
+# Debug Vars
+
+# This variable is not applied anywhere. It exists for debugging purpouses
+# only. Print it with:
+# kayobe configuration dump --var-name stackhpc_firewalld_rules_debug
+stackhpc_firewalld_rules_debug: |
+    {% set stackhpc_firewalld_services_debug = [] %}
+    {% for rule in stackhpc_firewalld_rules %}
+    {% if rule.service is defined %}
+    {% set _ = stackhpc_firewalld_services_debug.append(rule.service + ' ' + rule.state + ' ' + rule.zone | default()) %}
+    {% else %}
+    {% set _ = stackhpc_firewalld_services_debug.append(rule.port + ' ' + rule.state + ' ' + rule.zone | default()) %}
+    {% endif %}
+    {% endfor %}
+    {{ stackhpc_firewalld_services_debug | list }}
+
 ###############################################################################
 # Extra firewalld rules
 
