Bug 2130010

Summary: [RFE] ha_cluster: convert ha_cluster role to use firewall, selinux and certificate role
Product: Red Hat Enterprise Linux 9 Reporter: Noriko Hosoi <nhosoi>
Component: rhel-system-rolesAssignee: Rich Megginson <rmeggins>
Status: CLOSED ERRATA QA Contact: Evgeny Fedin <efedin>
Severity: unspecified Docs Contact: Steven J. Levine <slevine>
Priority: unspecified    
Version: 9.2CC: djez, efedin, mnovacek, pasik, rmeggins, slevine, spetrosi
Target Milestone: rcKeywords: FutureFeature, Triaged
Target Release: 9.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: role:ha_cluster
Fixed In Version: Doc Type: Enhancement
Doc Text:
.The `ha_cluster` System Role now supports automated execution of the `firewall`, `selinux`, and `certificate` System Roles The ha_cluster RHEL System Role now supports the following features: Using the `firewall` and `selinux` System Roles to manage port access:: To configure the ports of a cluster to run the `firewalld` and `selinux` services, you can set the new role variables `ha_cluster_manage_firewall` and `ha_cluster_manage_selinux` to `true`. This configures the cluster to use the `firewall` and `selinux` System Roles, automating and performing these operations within the `ha_cluster` System Role. If these variables are set to their default value of `false`, the roles are not performed. With this release, the firewall is no longer configured by default, because it is configured only when `ha_cluster_manage_firewall` is set to `true`. Using the `certificate` System Role to create a `pcsd` private key and certificate pair:: The `ha_cluster` System Role now supports the `ha_cluster_pcsd_certificates` role variable. Setting this variable passes on its value to the `certificate_requests` variable of the `certificate` System Role. This provides an alternative method for creating the private key and certificate pair for `pcsd`.
 Story Points: ---
Clone Of:
: 2130019 (view as bug list) Environment:
Last Closed: 2023-05-09 07:37:53 UTC Type: Enhancement
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2130019    

Description Noriko Hosoi 2022-09-26 21:25:32 UTC 
Description of problem:

The ha_cluster role can use the firewall role and the selinux role to manage port access.

#### `ha_cluster_manage_firewall`

boolean, default: false

Manage the `firewall high-availability service` as well as the `fence-virt port`.
When `ha_cluster_manage_firewall` is `true`, the `firewall high-availability
service` and `fence-virt port` are enabled.
When `ha_cluster_manage_firewall` is `false`, the `ha_cluster role` does not
manage the firewall.

NOTE: `ha_cluster_manage_firewall` is limited to *adding* ports.
It cannot be used for *removing* ports.
If you want to remove ports, you will need to use the firewall system
role directly.

NOTE: The version of the `ha_cluster` role is 1.7.5 or older,
the firewall was configured by default if the firewalld was available
when the `ha_cluster` role was executed. In the newer version,
it does not happen unless `ha_cluster_manage_firewall` is set to `true`.

#### `ha_cluster_manage_selinux`

boolean, default: false

Manage the ports belonging to the `firewall high-availability service` using
the selinux role.
When `ha_cluster_manage_selinux` is `true`, the ports belonging to the
`firewall high-availability service` are associated with the selinux port type
`cluster_port_t`.
When `ha_cluster_manage_selinux` is `false`, the `ha_cluster role` does not
manage the selinux.

NOTE: The firewall configuration is prerequisite for managing selinux. If the
firewall is not installed, managing selinux policy is skipped.

NOTE: `ha_cluster_manage_selinux` is limited to *adding* policy.
It cannot be used for *removing* policy.
If you want to remove policy, you will need to use the selinux system
role directly.
Comment 18 errata-xmlrpc 2023-05-09 07:37:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (rhel-system-roles bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2023:2246