Install and enable firewalld if it is configured for ipaserver role

ipaserver role by default tries to configure firewalld but it didn't check if firewalld related packages were installed. Similar to DNS and trust to AD features, install firewalld-related packages before trying to configure firewalld. Additionally, enable and start firewalld.service because otherwise firewall-cmd cannot communicate with firewalld itself (it is not starting on demand). If and administrator considers not to use firewalld, a default for ipaserver_setup_firewalld variable has to be set to 'no'. Fixes: https://github.com/freeipa/ansible-freeipa/issues/116
2026-05-06 13:23:14 +00:00 · 2019-12-09 18:27:12 +02:00
parent bf1e53cb70
commit 2136c73409
12 changed files with 30 additions and 6 deletions
--- a/README.md
+++ b/README.md
@@ -155,6 +155,7 @@ ipaserver_install_packages=no
 ipaserver_setup_firewalld=no
 ```
 The installation of packages and also the configuration of the firewall are by default enabled.
+Note that it is not enough to mask systemd firewalld service to skip the firewalld configuration. You need to set the variable to `no`.

 For more server settings, please have a look at the [server role documentation](roles/ipaserver/README.md).

--- a/roles/ipaserver/tasks/install.yml
+++ b/roles/ipaserver/tasks/install.yml
@@ -19,6 +19,19 @@
      state: present
    when: ipaserver_setup_adtrust | bool

+  - name: Install - Ensure that firewall packages installed
+    package:
+      name: "{{ ipaserver_packages_firewalld }}"
+      state: present
+    when: ipaserver_setup_firewalld | bool
+
+  - name: Firewalld service - Ensure that firewalld is running
+    systemd:
+      name: firewalld
+      enabled: yes
+      state: started
+    when: ipaserver_setup_firewalld | bool
+
  when: ipaserver_install_packages | bool

 #- name: Install - Include Python2/3 import test
--- a/roles/ipaserver/vars/CentOS-7.yml
+++ b/roles/ipaserver/vars/CentOS-7.yml
@@ -2,4 +2,5 @@
 # vars/rhel.yml
 ipaserver_packages: [ "ipa-server", "libselinux-python" ]
 ipaserver_packages_dns: [ "ipa-server-dns" ]
-ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
--- a/roles/ipaserver/vars/Fedora-25.yml
+++ b/roles/ipaserver/vars/Fedora-25.yml
@@ -1,3 +1,4 @@
 ipaserver_packages: [ "ipa-server", "libselinux-python" ]
 ipaserver_packages_dns: [ "ipa-server-dns" ]
-ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
--- a/roles/ipaserver/vars/Fedora-26.yml
+++ b/roles/ipaserver/vars/Fedora-26.yml
@@ -1,3 +1,4 @@
 ipaserver_packages: [ "ipa-server", "libselinux-python" ]
 ipaserver_packages_dns: [ "ipa-server-dns" ]
-ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
--- a/roles/ipaserver/vars/Fedora-27.yml
+++ b/roles/ipaserver/vars/Fedora-27.yml
@@ -1,3 +1,4 @@
 ipaserver_packages: [ "ipa-server", "libselinux-python" ]
 ipaserver_packages_dns: [ "ipa-server-dns" ]
 ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
--- a/roles/ipaserver/vars/Fedora.yml
+++ b/roles/ipaserver/vars/Fedora.yml
@@ -1,3 +1,4 @@
 ipaserver_packages: [ "freeipa-server", "python3-libselinux" ]
 ipaserver_packages_dns: [ "freeipa-server-dns" ]
-ipaserver_packages_adtrust: [ "freeipa-server-trust-ad" ]
+ipaserver_packages_adtrust: [ "freeipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
--- a/roles/ipaserver/vars/RedHat-7.3.yml
+++ b/roles/ipaserver/vars/RedHat-7.3.yml
@@ -2,4 +2,5 @@
 # vars/rhel.yml
 ipaserver_packages: [ "ipa-server", "libselinux-python" ]
 ipaserver_packages_dns: [ "ipa-server-dns" ]
-ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
--- a/roles/ipaserver/vars/RedHat-7.yml
+++ b/roles/ipaserver/vars/RedHat-7.yml
@@ -2,4 +2,5 @@
 # vars/rhel.yml
 ipaserver_packages: [ "ipa-server", "libselinux-python" ]
 ipaserver_packages_dns: [ "ipa-server-dns" ]
-ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
--- a/roles/ipaserver/vars/RedHat-8.yml
+++ b/roles/ipaserver/vars/RedHat-8.yml
@@ -3,3 +3,4 @@
 ipaserver_packages: [ "@idm:DL1/server" ]
 ipaserver_packages_dns: [ "@idm:DL1/dns" ]
 ipaserver_packages_adtrust: [ "@idm:DL1/adtrust" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
--- a/roles/ipaserver/vars/Ubuntu.yml
+++ b/roles/ipaserver/vars/Ubuntu.yml
@@ -2,3 +2,4 @@
 ipaserver_packages: [ "freeipa-server" ]
 ipaserver_packages_dns: [ "freeipa-server-dns" ]
 ipaserver_packages_adtrust: [ "freeipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
--- a/roles/ipaserver/vars/default.yml
+++ b/roles/ipaserver/vars/default.yml
@@ -3,3 +3,4 @@
 ipaserver_packages: [ "ipa-server", "python3-libselinux" ]
 ipaserver_packages_dns: [ "ipa-server-dns" ]
 ipaserver_packages_adtrust: [ "freeipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]