Really stop using firewalld
On some centos7 builds there is no firewalld so we have to be a bit more smarter about how we disable it. New method is to run an exec that stops the service if it is running then use a package resource to uninstall it completely. All of this happens before we install the iptables service so they should not confict with each other. One trick is we have to "purge" the package, because it may well have dependencies (on RAX images, firewalld-fail2ban is installed along with a bunch of other monitoring-type things by the "helpful" tool-installation script that runs automatically). The "yum" provider in puppet actually says to do this in it's documentation: Using this provider's `uninstallable` feature will not remove dependent packages. To remove dependent packages with this provider use the `purgeable` feature, but note this feature is destructive and should be used with the utmost care." Change-Id: I0750de9e75b63190531a3d39a5fcbb19f8e8c49e
This commit is contained in:
parent
7503162cc4
commit
95670757ae
|
@ -44,10 +44,14 @@ class iptables(
|
|||
# end up with no firewall rules at all. Disable firewalld so that
|
||||
# iptables-service can be in charge.
|
||||
if ($::osfamily == 'RedHat' and $::operatingsystemmajrelease >= '7') {
|
||||
service { 'firewalld':
|
||||
ensure => 'stopped',
|
||||
enable => false,
|
||||
before => Package['iptables'],
|
||||
exec { 'stop-firewalld-if-running':
|
||||
command => '/usr/bin/systemctl stop firewalld',
|
||||
onlyif => '/usr/bin/pgrep firewalld',
|
||||
}
|
||||
package { 'firewalld':
|
||||
ensure => 'purged',
|
||||
require => Exec['stop-firewalld-if-running'],
|
||||
before => Package['iptables'],
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue