Merge "Apply public firewalld rules immediately" into stable/2023.1

stackhpc · Sep 10, 2024 · 287bbf6 · 287bbf6
2 parents b964085 + 13918ee
commit 287bbf6
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 10 deletions.
diff --git a/ansible/roles/haproxy-config/tasks/main.yml b/ansible/roles/haproxy-config/tasks/main.yml
@@ -24,8 +24,9 @@
 
 - name: "Configuring firewall for {{ project_name }}"
   firewalld:
-    offline: "yes"
-    permanent: "yes"
+    immediate: true
+    offline: true
+    permanent: true
     port: "{{ item.value.port }}/tcp"
     state: "enabled"
     zone: "{{ external_api_firewalld_zone }}"
@@ -38,5 +39,3 @@
     - enable_external_api_firewalld | bool
     - kolla_action != "config"
   with_dict: "{{ project_services | extract_haproxy_services }}"
-  notify:
-    - "Reload firewalld"
diff --git a/ansible/roles/loadbalancer/handlers/main.yml b/ansible/roles/loadbalancer/handlers/main.yml
@@ -1,10 +1,4 @@
 ---
-- name: Reload firewalld
-  become: True
-  service:
-    name: "firewalld"
-    state: reloaded
-
 # NOTE(yoctozepto): this handler dance is to ensure we delay restarting master
 # keepalived and haproxy which control VIP address until we have working backups.
 # This could be improved by checking if backup keepalived do not report FAULT state.

diff --git a/releasenotes/notes/firewalld-immediate-c2abf09977c455a9.yaml b/releasenotes/notes/firewalld-immediate-c2abf09977c455a9.yaml
@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Modifies public API firewalld rules to be applied immediately to a running
+    firewalld service. This requires firewalld to be running, but avoids
+    reloading firewalld, which is disruptive due to the way in which firewalld
+    builds its firewall chains.