Really stop using firewalld

On some centos7 builds there is no firewalld so we have to be a bit more
smarter about how we disable it. New method is to run an exec that stops
the service if it is running then use a package resource to uninstall it
completely. All of this happens before we install the iptables service
so they should not confict with each other.

One trick is we have to "purge" the package, because it may well have
dependencies (on RAX images, firewalld-fail2ban is installed along
with a bunch of other monitoring-type things by the "helpful"
tool-installation script that runs automatically).  The "yum" provider
in puppet actually says to do this in it's documentation:

  Using this provider's `uninstallable` feature will not remove
  dependent packages. To remove dependent packages with this provider
  use the `purgeable` feature, but note this feature is destructive
  and should be used with the utmost care."

Change-Id: I0750de9e75b63190531a3d39a5fcbb19f8e8c49e
This commit is contained in:
Clark Boylan 2015-08-31 14:22:26 -07:00
parent 7503162cc4
commit 95670757ae
1 changed files with 8 additions and 4 deletions

View File

@ -44,10 +44,14 @@ class iptables(
# end up with no firewall rules at all. Disable firewalld so that
# iptables-service can be in charge.
if ($::osfamily == 'RedHat' and $::operatingsystemmajrelease >= '7') {
service { 'firewalld':
ensure => 'stopped',
enable => false,
before => Package['iptables'],
exec { 'stop-firewalld-if-running':
command => '/usr/bin/systemctl stop firewalld',
onlyif => '/usr/bin/pgrep firewalld',
}
package { 'firewalld':
ensure => 'purged',
require => Exec['stop-firewalld-if-running'],
before => Package['iptables'],
}
}
}