Additional os_firewall role refactoring

* Remove openshift_facts dependency
* Move firewall initialization from std_include.yml to
openshift_cluster/config.yml

Installing firewall packages is only necessary during OpenShift
installation.

1 files changed, 41 insertions, 0 deletions

diff --git a/roles/os_firewall/tasks/iptables.yml b/roles/os_firewall/tasks/iptables.yml
new file mode 100644
index 000000000..0af5abf38
--- /dev/null
+++ b/roles/os_firewall/tasks/iptables.yml
@@ -0,0 +1,41 @@
+---
+
+- name: Ensure firewalld service is not enabled
+  systemd:
+    name: firewalld
+    state: stopped
+    enabled: no
+    masked: yes
+  register: task_result
+  failed_when: task_result|failed and 'could not' not in task_result.msg|lower
+
+- name: Wait 10 seconds after disabling firewalld
+  pause:
+    seconds: 10
+  when: task_result | changed
+
+- name: Install iptables packages
+  package:
+    name: "{{ item }}"
+    state: present
+  with_items:
+    - iptables
+    - iptables-services
+  when: not r_os_firewall_is_atomic | bool
+
+- name: Start and enable iptables service
+  systemd:
+    name: iptables
+    state: started
+    enabled: yes
+    masked: no
+    daemon_reload: yes
+  register: result
+  delegate_to: "{{item}}"
+  run_once: true
+  with_items: "{{ ansible_play_hosts }}"
+
+- name: need to pause here, otherwise the iptables service starting can sometimes cause ssh to fail
+  pause:
+    seconds: 10
+  when: result | changed