Remove workaround playbook for disabling iptables

[mbukatov]

Description

To remove workaround playbook which disables iptables completely, we need to include firewall setup into tendrl-ansible.

References

Documentation how to configure firewall are available now: https://github.com/Tendrl/documentation/wiki/Tendrl-firewall-settings (link added on Nov 22)

Approach

I propose to:

• tendrl-ansible to open ports for tendrl-components only, gluster ports (or anything else) is out of scope now
• make firewall setup part of both tendrl-server and tendrl-storage-node roles
• firewall will be configured using firewalld service files, provided by particular tendrl components
• when firewalld service is not up and running, stop the playbook(via assert) and ask for manual intervention
• provide way to run tendrl-ansible without reconfiguration of firewall

Why?

Since we can't allow to enable or disable firewall during Tendrl installation, when firewalld is not running, we can't touch firewall configuration at all. When tendrl-ansible detects this, assert will stop the playbook immediately and ask user to resolve the situation:

• one could enable firewalld and configure it to open all ports required for gluster and anything else admin requires to work, and then rerun tendrl-ansible
• one can decide to use iptables tool instead, or any other way to push firewall rules into kernel, in which case one will disable firewall reconfiguration in tendrl-ansible, so that one can take full responsibility for firewall setup. In this mode, tendrl-ansible will not touch firewall at all, assuming it's enabled and configured (this way, one can also decide to not use firewall at all, which is not suggested, but possible)

tendrl-ansible will automate only single way to configure fiewall, which is firewalld. Automating multiple approaches (eg. both iptables and firewalld) is not reasonable, would require additional maintenance work and multiply testing efforts.

Moreover, by using firewalld service files when possible, we can simplify maintenance of firewalld configuration, which will be stored in the repository of the component, and change of port would not require update of tendrl-ansible. I realize that his is not always possible (eg. for etcd we don't directly control), but this approach should be strongly preferred.

[mbukatov]

Details how to configure firewall are available now: https://github.com/Tendrl/documentation/wiki/Tendrl-firewall-settings

[mbukatov]

Accepting this feature for future upstream release 1.5.5

[mbukatov]

Implementation details, based on description in this issue and today's meeting Discuss peding tendrl-nsible issues and plan:

• introduce new ansible variable configure_firewalld_for_tendrl, available in both tendrl-server and tendrl-storage-node roles
• variable configure_firewalld_for_tendrl is True by default
• when configure_firewalld_for_tendrl is True, tendrl-ansible will try to open ports for tendrl services via firewalld
• when configure_firewalld_for_tendrl is True and firewalld is not running, we will abort the playbook (using assert statement) with explanation for the admin, so that he can decide whether to enable firewalld, open ports for gluster and retry, or if he just configures the firewall himself (which includes an option to have no firewall at all) and retry with configure_firewalld_for_tendrl set to false
• when configure_firewalld_for_tendrl is False, tendrl-ansible will not touch any firewalld setup at all and move all responsibility for firewall setup to the admin (this needs to be clearly communicated to the user)

Moreover we decided to handle firewalld reload in tendrl-ansible and not in postscript of tendrl packages shipping firewalld service files.

[mbukatov]

Resolved by https://github.com/Tendrl/tendrl-ansible/pull/70, with exception of usage of firewalld service files, which is now tracked by https://github.com/Tendrl/tendrl-ansible/issues/80