From 6990a041c77c0b21b681b4f721b2cf55209b3eea Mon Sep 17 00:00:00 2001
From: k-s-dean <kyle@stackhpc.com>
Date: Tue, 19 Jul 2022 16:40:35 +0100
Subject: [PATCH] Add support for firewalld on Ubuntu

Enables the installation and configuration of firewalld on Ubuntu
systems.

Change-Id: I4a97a2aeed277be672e15e5c7727b810e11d3c42
Story: 2010160
Task: 45818
---
 ansible/firewall.yml                                |  7 +++----
 .../defaults/main.yml                               |  0
 .../handlers/main.yml                               |  0
 .../tasks/disabled.yml                              |  0
 .../tasks/enabled.yml                               |  0
 .../{firewall-redhat => firewalld}/tasks/main.yml   |  0
 doc/source/configuration/reference/hosts.rst        |  7 +++----
 .../overrides.yml.j2                                |  2 +-
 .../tests/test_overcloud_host_configure.py          | 13 ++-----------
 .../add-support-for-firewalld-4387151a727bf8bb.yaml |  5 +++++
 10 files changed, 14 insertions(+), 20 deletions(-)
 rename ansible/roles/{firewall-redhat => firewalld}/defaults/main.yml (100%)
 rename ansible/roles/{firewall-redhat => firewalld}/handlers/main.yml (100%)
 rename ansible/roles/{firewall-redhat => firewalld}/tasks/disabled.yml (100%)
 rename ansible/roles/{firewall-redhat => firewalld}/tasks/enabled.yml (100%)
 rename ansible/roles/{firewall-redhat => firewalld}/tasks/main.yml (100%)
 create mode 100644 releasenotes/notes/add-support-for-firewalld-4387151a727bf8bb.yaml

diff --git a/ansible/firewall.yml b/ansible/firewall.yml
index c133fb011..935328db9 100644
--- a/ansible/firewall.yml
+++ b/ansible/firewall.yml
@@ -5,8 +5,7 @@
     - config
     - firewall
   tasks:
-    - name: Configure the firewall
+    - name: Configure firewalld
       include_role:
-        name: "firewall-{{ ansible_facts.os_family | lower }}"
-      when:
-        - ansible_facts.os_family == 'RedHat'
+        name: "firewalld"
+
diff --git a/ansible/roles/firewall-redhat/defaults/main.yml b/ansible/roles/firewalld/defaults/main.yml
similarity index 100%
rename from ansible/roles/firewall-redhat/defaults/main.yml
rename to ansible/roles/firewalld/defaults/main.yml
diff --git a/ansible/roles/firewall-redhat/handlers/main.yml b/ansible/roles/firewalld/handlers/main.yml
similarity index 100%
rename from ansible/roles/firewall-redhat/handlers/main.yml
rename to ansible/roles/firewalld/handlers/main.yml
diff --git a/ansible/roles/firewall-redhat/tasks/disabled.yml b/ansible/roles/firewalld/tasks/disabled.yml
similarity index 100%
rename from ansible/roles/firewall-redhat/tasks/disabled.yml
rename to ansible/roles/firewalld/tasks/disabled.yml
diff --git a/ansible/roles/firewall-redhat/tasks/enabled.yml b/ansible/roles/firewalld/tasks/enabled.yml
similarity index 100%
rename from ansible/roles/firewall-redhat/tasks/enabled.yml
rename to ansible/roles/firewalld/tasks/enabled.yml
diff --git a/ansible/roles/firewall-redhat/tasks/main.yml b/ansible/roles/firewalld/tasks/main.yml
similarity index 100%
rename from ansible/roles/firewall-redhat/tasks/main.yml
rename to ansible/roles/firewalld/tasks/main.yml
diff --git a/doc/source/configuration/reference/hosts.rst b/doc/source/configuration/reference/hosts.rst
index 4cb6e57a0..a7c87dc90 100644
--- a/doc/source/configuration/reference/hosts.rst
+++ b/doc/source/configuration/reference/hosts.rst
@@ -469,12 +469,11 @@ Firewalld
 *tags:*
   | ``firewall``
 
-.. note:: Firewalld is supported on CentOS and Rocky systems only. Currently no
-          firewall is supported on Ubuntu.
-
-Firewalld can be used to provide a firewall on CentOS/Rocky systems. Since the
+Firewalld can be used to provide a firewall on supported systems. Since the
 Xena release, Kayobe provides support for enabling or disabling firewalld, as
 well as defining zones and rules.
+Since the Zed 13.0.0 release, Kayobe added support for configuring firewalld on
+Ubuntu systems.
 
 The following variables can be used to set whether to enable firewalld:
 
diff --git a/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 b/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2
index fed315141..c5ecefdb8 100644
--- a/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2
+++ b/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2
@@ -170,7 +170,7 @@ chrony_ntp_servers:
       - option: maxsources
         val: 2
 
-# Enable firewalld (CentOS only).
+# Enable firewalld
 controller_firewalld_enabled: true
 controller_firewalld_zones:
   - zone: test-zone1
diff --git a/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py b/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py
index f9582e155..d2ff5c5aa 100644
--- a/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py
+++ b/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py
@@ -11,11 +11,6 @@ import distro
 import pytest
 
 
-def _is_firewalld_supported():
-    info = distro.id()
-    return info in ['centos', 'rocky']
-
-
 def _is_apt():
     info = distro.linux_distribution()
     return info[0].startswith('Ubuntu')
@@ -25,10 +20,12 @@ def _is_dnf():
     info = distro.id()
     return info in ['centos', 'rocky']
 
+
 def _is_dnf_mirror():
     info = distro.id()
     return info == 'centos'
 
+
 def test_network_ethernet(host):
     interface = host.interface('dummy2')
     assert interface.exists
@@ -241,16 +238,12 @@ def test_tuned_profile_is_active(host):
     assert "throughput-performance" in tuned_output
 
 
-@pytest.mark.skipif(not _is_firewalld_supported(),
-                    reason="Firewalld only supported on CentOS and Rocky")
 def test_firewalld_running(host):
     assert host.package("firewalld").is_installed
     assert host.service("firewalld.service").is_enabled
     assert host.service("firewalld.service").is_running
 
 
-@pytest.mark.skipif(not _is_firewalld_supported(),
-                    reason="Firewalld only supported on CentOS and Rocky")
 def test_firewalld_zones(host):
     # Verify that interfaces are on correct zones.
     expected_zones = {
@@ -272,8 +265,6 @@ def test_firewalld_zones(host):
             assert zone == expected_zone
 
 
-@pytest.mark.skipif(not _is_firewalld_supported(),
-                    reason="Firewalld only supported on CentOS and Rocky")
 def test_firewalld_rules(host):
     # Verify that expected rules are present.
     expected_info = {
diff --git a/releasenotes/notes/add-support-for-firewalld-4387151a727bf8bb.yaml b/releasenotes/notes/add-support-for-firewalld-4387151a727bf8bb.yaml
new file mode 100644
index 000000000..488e69bdd
--- /dev/null
+++ b/releasenotes/notes/add-support-for-firewalld-4387151a727bf8bb.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Adds support for configuring a firewall via firewalld on Ubuntu. See `story
+    2010160 <https://storyboard.openstack.org/#!/story/2010160>`__ for details.