Bug 2130019

Summary: [RFE] ha_cluster: convert ha_cluster role to use firewall, selinux and certificate role
Product: Red Hat Enterprise Linux 8 Reporter: Noriko Hosoi <nhosoi>
Component: rhel-system-rolesAssignee: Rich Megginson <rmeggins>
Status: CLOSED ERRATA QA Contact: David Jež <djez>
Severity: unspecified Docs Contact: Steven J. Levine <slevine>
Priority: unspecified    
Version: 8.8CC: djez, efedin, mnovacek, rhel-cs-system-management-subsystem-qe, rmeggins, spetrosi
Target Milestone: rcKeywords: FutureFeature, Triaged
Target Release: 8.8   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: role:ha_cluster
Fixed In Version: rhel-system-roles-1.21.0-0.10.el8 Doc Type: Enhancement
Doc Text:
.The `ha_cluster` System Role now supports automated execution of the `firewall`, `selinux`, and `certificate` System Roles The ha_cluster RHEL System Role now supports the following features: Using the `firewall` and `selinux` System Roles to manage port access:: To configure the ports of a cluster to run the `firewalld` and `selinux` services, you can set the new role variables `ha_cluster_manage_firewall` and `ha_cluster_manage_selinux` to `true`. This configures the cluster to use the `firewall` and `selinux` System Roles, automating and performing these operations within the `ha_cluster` System Role. If these variables are set to their default value of `false`, the roles are not performed. With this release, the firewall is no longer configured by default, because it is configured only when `ha_cluster_manage_firewall` is set to `true`. Using the `certificate` System Role to create a `pcsd` private key and certificate pair:: The `ha_cluster` System Role now supports the `ha_cluster_pcsd_certificates` role variable. Setting this variable passes on its value to the `certificate_requests` variable of the `certificate` System Role. This provides an alternative method for creating the private key and certificate pair for `pcsd`.
 Story Points: ---
Clone Of: 2130010 Environment:
Last Closed: 2023-05-16 08:31:12 UTC Type: Enhancement
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2130010    
Bug Blocks:    
Deadline: 2023-01-16   

Description Noriko Hosoi 2022-09-26 22:13:53 UTC 
+++ This bug was initially created as a clone of Bug #2130010 +++

Description of problem:

The ha_cluster role can use the firewall role and the selinux role to manage port access.

#### `ha_cluster_manage_firewall`

boolean, default: false

Manage the `firewall high-availability service` as well as the `fence-virt port`.
When `ha_cluster_manage_firewall` is `true`, the `firewall high-availability
service` and `fence-virt port` are enabled.
When `ha_cluster_manage_firewall` is `false`, the `ha_cluster role` does not
manage the firewall.

NOTE: `ha_cluster_manage_firewall` is limited to *adding* ports.
It cannot be used for *removing* ports.
If you want to remove ports, you will need to use the firewall system
role directly.

NOTE: The version of the `ha_cluster` role is 1.7.5 or older,
the firewall was configured by default if the firewalld was available
when the `ha_cluster` role was executed. In the newer version,
it does not happen unless `ha_cluster_manage_firewall` is set to `true`.

#### `ha_cluster_manage_selinux`

boolean, default: false

Manage the ports belonging to the `firewall high-availability service` using
the selinux role.
When `ha_cluster_manage_selinux` is `true`, the ports belonging to the
`firewall high-availability service` are associated with the selinux port type
`cluster_port_t`.
When `ha_cluster_manage_selinux` is `false`, the `ha_cluster role` does not
manage the selinux.

NOTE: The firewall configuration is prerequisite for managing selinux. If the
firewall is not installed, managing selinux policy is skipped.

NOTE: `ha_cluster_manage_selinux` is limited to *adding* policy.
It cannot be used for *removing* policy.
If you want to remove policy, you will need to use the selinux system
role directly.

--- Additional comment from RHEL Program Management on 2022-09-26 21:25:39 UTC ---

The keyword FutureFeature has been added. If this bug is not a FutureFeature, please remove from the Summary field any strings containing "RFE, rfe, FutureFeature, FEAT, Feat, feat".
Comment 18 errata-xmlrpc 2023-05-16 08:31:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (rhel-system-roles bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2023:2804