From 2eb6db4c781cda8f7732a289a4408923dab1a033 Mon Sep 17 00:00:00 2001
From: Ash Cripps <ashley.cripps@ibm.com>
Date: Mon, 23 Dec 2019 16:01:35 +0000
Subject: [PATCH] ansible: add back the firewall rules for rhel7_s390x (#2104)

* ansible: add back the firewall rules for rhel7_s390x

* ansible: remove firewalld and install iptables on rhel-s390x
---
 ansible/roles/baselayout/vars/main.yml      |  2 +-
 ansible/roles/jenkins-worker/tasks/main.yml | 40 +++++++++++++++++++++
 2 files changed, 41 insertions(+), 1 deletion(-)

diff --git a/ansible/roles/baselayout/vars/main.yml b/ansible/roles/baselayout/vars/main.yml
index 02492bae6..5365d18fb 100644
--- a/ansible/roles/baselayout/vars/main.yml
+++ b/ansible/roles/baselayout/vars/main.yml
@@ -87,7 +87,7 @@ packages: {
   ],
 
   rhel7: [
-    'gcc-c++,sudo,git,zip,unzip',
+    'gcc-c++,sudo,git,zip,unzip,iptables-services',
   ],
 
   smartos: [
diff --git a/ansible/roles/jenkins-worker/tasks/main.yml b/ansible/roles/jenkins-worker/tasks/main.yml
index 9347b1b09..1b227db11 100644
--- a/ansible/roles/jenkins-worker/tasks/main.yml
+++ b/ansible/roles/jenkins-worker/tasks/main.yml
@@ -73,6 +73,46 @@
         - "{{ role_path }}/tasks/partials/tap2junit/pip.yml"
       skip: true
 
+- name: Firewall | enable iptables
+  command: systemctl enable iptables
+  when: "'rhel7-s390x' in inventory_hostname"
+
+- name: Firewall | check for firewalld
+  raw: stat /usr/sbin/firewalld
+  register: has_firewalld
+  failed_when: has_firewalld.rc > 1
+  when: "'rhel7-s390x' in inventory_hostname"
+
+- name: Firewall | remove firewalld
+  when: has_firewalld.rc == 0
+  raw: yum remove -y firewalld
+  when: "'rhel7-s390x' in inventory_hostname"
+
+- name: Firewall | add rule to allow accepting multicast
+  lineinfile:
+    dest: /etc/sysconfig/iptables
+    insertafter: ":OUTPUT ACCEPT.*]"
+    line: "-A INPUT -m pkttype --pkt-type multicast -j ACCEPT"
+  when: "'rhel7-s390x' in inventory_hostname"
+
+- name: Firewall | add basic rule to allow communication locally
+  lineinfile:
+    dest: /etc/sysconfig/iptables
+    insertafter: ":OUTPUT ACCEPT.*]"
+    line: "-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT"
+  when: "'rhel7-s390x' in inventory_hostname"
+
+- name: Firewall | add additional rule to allow communication from 127.0.0.2
+  lineinfile:
+    dest: /etc/sysconfig/iptables
+    insertafter: ":OUTPUT ACCEPT.*]"
+    line: "-A INPUT -s 127.0.0.2/32 -d 127.0.0.1/32 -j ACCEPT"
+  when: "'rhel7-s390x' in inventory_hostname"
+
+- name: Firewall | make the new firewall rules take effect
+  command: systemctl restart iptables
+  when: "'rhel7-s390x' in inventory_hostname"
+
 - name: download slave.jar
   when: not os|startswith("zos")
   get_url: