Allow adding a select interface to a selected zone. robertdebock#4

README.md

@@ -61,12 +61,43 @@ firewall_services:
 #     protocol: tcp
 #   - name: 1337
 #     state: absent
+
+# A list of interfaces you would like to add/remove to/from a zone in firewalld.
+# firewall_interfaces: []
+
+# examples:
+# firewall_interfaces:
+#   - interface: eth0
+#     zone: trusted
+#   - type: bond
+#     interface: bond0
+#     zone: trusted
+#   - interface: ens0
+#     zone: trusted
+#     state: disabled
+
 ```
 
 ## [Requirements](#requirements)
 
 - pip packages listed in [requirements.txt](https://github.com/robertdebock/ansible-role-firewall/blob/master/requirements.txt).
 
+- Feature [Allow adding a select interface to a selected zone.](https://github.com/robertdebock/ansible-role-firewall/issues/4) is only supported on operating systems with firewalld as default firewall software.
+  For details see manpage _firewalld.zones(5)_ "How to set or change a zone for a connection?".
+  This feature will only be usable if the interface is managed by NetworkManager.
+  Suse os-family needs to switch from wicked to NetworkManager, RedHat os-family is using NetworkManger by default.
+  [Requires installing additional packages](https://docs.ansible.com/ansible/latest/collections/community/general/nmcli_module.html#synopsis) otherwise tasks for the feature will be skipped.
+
+    - known issue: collection `community.general is version('3.3.0', '>=')` and `ansible_distribution == 'Fedora' and ansible_distribution_major_version is version('30', '<=')`.
+
+      - _reason_: those versions [pulled in new settings](https://github.com/ansible-collections/community.general/pull/2732/checks) see `routing-rules` in [nm-settings](https://developer-old.gnome.org/NetworkManager/stable/nm-settings-nmcli.html).
+
+        _workarround_: use collection `community.general` version `3.2.0` but this will introduce different issues. therefore  fedora<=30 not supported
+
+            # on centos7,fedora29,rhel7
+            CRITICAL Idempotence test failed because of the following tasks:
+            *  => ansible-role-firewall : add interface to a zone (networkmanager)
+
 ## [Status of used roles](#status-of-requirements)
 
 The following roles are used to prepare a system. You can prepare your system in another way.
@@ -89,7 +120,7 @@ This role has been tested on these [container images](https://hub.docker.com/u/r
 |container|tags|
 |---------|----|
 |alpine|all|
-|el|8|
+|el|7,8|
 |debian|all|
 |fedora|all|
 |opensuse|all|

defaults/main.yml

@@ -21,3 +21,17 @@ firewall_services:
 #     protocol: tcp
 #   - name: 1337
 #     state: absent
+
+# A list of interfaces you would like to add/remove to/from a zone in firewalld.
+# firewall_interfaces: []
+
+# examples:
+# firewall_interfaces:
+#   - interface: eth0
+#     zone: trusted
+#   - type: bond
+#     interface: bond0
+#     zone: trusted
+#   - interface: ens0
+#     zone: trusted
+#     state: disabled

handlers/main.yml

@@ -12,3 +12,11 @@
 - name: reload firewalld
   ansible.builtin.command:
     cmd: firewall-cmd --reload
+
+- name: restart NetworkManager
+  ansible.builtin.service:
+    name: NetworkManager
+    state: restarted
+  when:
+    - ansible_connection not in [ "container", "docker", "community.docker.docker" ]
+    - not ansible_check_mode | bool

molecule/default/converge.yml

@@ -6,3 +6,8 @@
 
   roles:
     - role: ansible-role-firewall
+
+    # - role: ansible-role-firewall
+    #   firewall_interfaces:
+    #     - interface: eth0
+    #       zone: trusted

molecule/physical/INSTALL.rst

@@ -0,0 +1,72 @@
+*******
+Delegated driver installation guide
+*******
+
+Requirements
+============
+
+Machines are pre-provisioned and externally managed via vagrant. Boxes are taken from https://roboxes.org/
+
+Install
+=======
+
+* install vagrant
+* vagrant boxes
+    ```shell
+    vagrant box add generic/alma8
+    vagrant box add generic/centos7
+    vagrant box add generic/centos8
+    vagrant box add generic/fedora28
+    vagrant box add generic/fedora29
+    vagrant box add generic/fedora35
+    vagrant box add generic/opensuse15
+    vagrant box add generic/rhel7
+    vagrant box add generic/rhel8
+    ```
+* create vagrant environment
+    ```shell
+    vagrant up
+    ```
+* export ssh config
+    ```shell
+    vagrant ssh-config > molecule/physical/ssh_config
+    ```
+* copy and change permissions on identityfiles.
+    ```shell
+    VAGRANTFILE_BASEDIR=/mnt/c/Users/Public/Documents/EL
+    pushd molecule/physical/.ssh
+    for file in $(ls -1 "${VAGRANTFILE_BASEDIR}/.vagrant/machines/"*"/"*"/private_key")
+    do
+    cp -v "$file" "$(basename $(dirname $(dirname $file)))"
+    chmod 0600 "$(basename $(dirname $(dirname $file)))"
+    done
+    ```
+* edit the path of IdentityFile property in ssh_config
+
+Access hosts
+------------
+
+ssh to all hosts:
+
+    for host in $(\grep -Po '^Host\s+\K.*'  molecule/physical/ssh_config); do echo $host ; ssh -X -F molecule/physical/ssh_config $host ; done
+
+
+Details 
+-------
+
+vagrant providers
+~~~~~~~~~~~~~~~~
+
+* hyper-v
+
+this is on windows desktop with hyper-v virtualization and ansible running inside WSL.
+forwarding needs to be setup between the different switches:
+
+    Get-NetIPInterface | where {$_.InterfaceAlias -eq 'vEthernet (WSL)' -or $_.InterfaceAlias -eq 'vEthernet (Default Switch)'} | Set-NetIPInterface -Forwarding Enabled
+
+vagrant image
+~~~~~~~~~~~~~
+
+* generic/opensuse15
+
+this image has some updating issues. it maybe required to login once and run: `sudo zypper ref && sudo zypper up && sudo reboot`

molecule/physical/Vagrantfile

@@ -0,0 +1,29 @@
+Vagrant.configure("2") do |config|
+    config.vm.define "alma8" do |alma8|
+      alma8.vm.box = "generic/alma8"
+    end
+    config.vm.define "centos7" do |centos7|
+      centos7.vm.box = "generic/centos7"
+    end
+    config.vm.define "centos8" do |centos8|
+      centos8.vm.box = "generic/centos8"
+    end
+    # config.vm.define "fedora28" do |fedora28|
+    #   fedora28.vm.box = "generic/fedora28"
+    # end
+    # config.vm.define "fedora29" do |fedora29|
+    #   fedora29.vm.box = "generic/fedora29"
+    # end
+    config.vm.define "fedora35" do |fedora35|
+      fedora35.vm.box = "generic/fedora35"
+    end
+    config.vm.define "opensuse15" do |opensuse15|
+      opensuse15.vm.box = "generic/opensuse15"
+    end
+    config.vm.define "rhel7" do |rhel7|
+      rhel7.vm.box = "generic/rhel7"
+    end
+    config.vm.define "rhel8" do |rhel8|
+      rhel8.vm.box = "generic/rhel8"
+    end
+  end

molecule/physical/create.yml

@@ -0,0 +1,36 @@
+---
+- name: Create
+  # hosts: localhost
+  hosts: all
+  # connection: local
+  gather_facts: false
+  # no_log: "{{ molecule_no_log }}"
+  # tasks:
+
+  #   # TODO: Developer must implement and populate 'server' variable
+
+  #   - when: server.changed | default(false) | bool
+  #     block:
+  #       - name: Populate instance config dict
+  #         set_fact:
+  #           instance_conf_dict: {
+  #             'instance': "{{ }}",
+  #             'address': "{{ }}",
+  #             'user': "{{ }}",
+  #             'port': "{{ }}",
+  #             'identity_file': "{{ }}", }
+  #         with_items: "{{ server.results }}"
+  #         register: instance_config_dict
+
+  #       - name: Convert instance config dict to a list
+  #         set_fact:
+  #           instance_conf: "{{ instance_config_dict.results | map(attribute='ansible_facts.instance_conf_dict') | list }}"
+
+  #       - name: Dump instance config
+  #         copy:
+  #           content: |
+  #             # Molecule managed
+
+  #             {{ instance_conf | to_json | from_json | to_yaml }}
+  #           dest: "{{ molecule_instance_config }}"
+  #           mode: 0600

molecule/physical/destroy.yml

@@ -0,0 +1,25 @@
+---
+- name: Destroy
+  # hosts: localhost
+  hosts: all
+  # connection: local
+  gather_facts: false
+  # no_log: "{{ molecule_no_log }}"
+  # tasks:
+  #   # Developer must implement.
+
+  #   # Mandatory configuration for Molecule to function.
+
+  #   - name: Populate instance config
+  #     set_fact:
+  #       instance_conf: {}
+
+  #   - name: Dump instance config
+  #     copy:
+  #       content: |
+  #         # Molecule managed
+
+  #         {{ instance_conf | to_json | from_json | to_yaml }}
+  #       dest: "{{ molecule_instance_config }}"
+  #       mode: 0600
+  #     when: server.changed | default(false) | bool

molecule/physical/molecule.yml

@@ -0,0 +1,37 @@
+---
+dependency:
+  name: galaxy
+  options:
+    role-file: requirements.yml
+    requirements-file: requirements.yml
+driver:
+  name: delegated
+  options:
+    managed: False
+    login_cmd_template: 'ssh {instance} -F "${MOLECULE_SCENARIO_DIRECTORY}/ssh_config"'
+    ansible_connection_options:
+      ansible_connection: ssh
+      ansible_ssh_common_args: '-F "${MOLECULE_SCENARIO_DIRECTORY}/ssh_config"'
+platforms:
+  - name: alma8
+  - name: centos7
+  - name: centos8
+  # - name: fedora28
+  # - name: fedora29
+  - name: fedora35
+  - name: opensuse15
+  - name: rhel7
+  - name: rhel8
+provisioner:
+  name: ansible
+  playbooks:
+    # prepare: ../default/prepare.yml
+    converge: ../default/converge.yml
+  default_sequence:
+    - converge
+  test_sequence:
+    # - prepare
+    - converge
+    # - verify
+  verify_sequence:
+    - converge

molecule/physical/ssh_config

@@ -0,0 +1,98 @@
+Host alma8
+  HostName 172.18.243.66
+  User vagrant
+  Port 22
+  UserKnownHostsFile /dev/null
+  StrictHostKeyChecking no
+  PasswordAuthentication no
+  IdentityFile /home/robert.rettig/git/github.com/ndgit/ansible-role-firewall/molecule/physical/.ssh/alma8
+  IdentitiesOnly yes
+  LogLevel FATAL
+
+Host centos7
+  HostName 172.18.250.61
+  User vagrant
+  Port 22
+  UserKnownHostsFile /dev/null
+  StrictHostKeyChecking no
+  PasswordAuthentication no
+  IdentityFile /home/robert.rettig/git/github.com/ndgit/ansible-role-firewall/molecule/physical/.ssh/centos7
+  IdentitiesOnly yes
+  LogLevel FATAL
+
+Host centos8
+  HostName 172.18.247.56
+  User vagrant
+  Port 22
+  UserKnownHostsFile /dev/null
+  StrictHostKeyChecking no
+  PasswordAuthentication no
+  IdentityFile /home/robert.rettig/git/github.com/ndgit/ansible-role-firewall/molecule/physical/.ssh/centos8
+  IdentitiesOnly yes
+  LogLevel FATAL
+
+# Host fedora28
+#   HostName 172.18.255.86
+#   User vagrant
+#   Port 22
+#   UserKnownHostsFile /dev/null
+#   StrictHostKeyChecking no
+#   PasswordAuthentication no
+#   IdentityFile /home/robert.rettig/git/github.com/ndgit/ansible-role-firewall/molecule/physical/.ssh/fedora28
+#   IdentitiesOnly yes
+#   LogLevel FATAL
+
+# Host fedora29
+#   HostName 172.18.253.40
+#   User vagrant
+#   Port 22
+#   UserKnownHostsFile /dev/null
+#   StrictHostKeyChecking no
+#   PasswordAuthentication no
+#   IdentityFile /home/robert.rettig/git/github.com/ndgit/ansible-role-firewall/molecule/physical/.ssh/fedora29
+#   IdentitiesOnly yes
+#   LogLevel FATAL
+
+Host fedora35
+  HostName 172.18.241.212
+  User vagrant
+  Port 22
+  UserKnownHostsFile /dev/null
+  StrictHostKeyChecking no
+  PasswordAuthentication no
+  IdentityFile /home/robert.rettig/git/github.com/ndgit/ansible-role-firewall/molecule/physical/.ssh/fedora35
+  IdentitiesOnly yes
+  LogLevel FATAL
+
+Host opensuse15
+  HostName 172.18.246.76
+  User vagrant
+  Port 22
+  UserKnownHostsFile /dev/null
+  StrictHostKeyChecking no
+  PasswordAuthentication no
+  IdentityFile /home/robert.rettig/git/github.com/ndgit/ansible-role-firewall/molecule/physical/.ssh/opensuse15
+  IdentitiesOnly yes
+  LogLevel FATAL
+
+Host rhel7
+  HostName 172.18.245.107
+  User vagrant
+  Port 22
+  UserKnownHostsFile /dev/null
+  StrictHostKeyChecking no
+  PasswordAuthentication no
+  IdentityFile /home/robert.rettig/git/github.com/ndgit/ansible-role-firewall/molecule/physical/.ssh/rhel7
+  IdentitiesOnly yes
+  LogLevel FATAL
+
+Host rhel8
+  HostName 172.18.254.195
+  User vagrant
+  Port 22
+  UserKnownHostsFile /dev/null
+  StrictHostKeyChecking no
+  PasswordAuthentication no
+  IdentityFile /home/robert.rettig/git/github.com/ndgit/ansible-role-firewall/molecule/physical/.ssh/rhel8
+  IdentitiesOnly yes
+  LogLevel FATAL