Stop iptables from being enabled by force

This change enables convergence in containers by removing iptables in a workaround as a result of upstream[1] efforts[2]. [1] https://review.rdoproject.org/r/9702 [2] https://review.rdoproject.org/r/9703 Change-Id: I8793cb8d1ee376d45e7521b8ff9434c704e05497
2018-06-25 06:08:27 -07:00 · 2018-06-25 06:08:27 -07:00 · 766e9fba5c
parent 3abbcabe46
commit 766e9fba5c
2 changed files with 16 additions and 0 deletions
--- a/files/default/neutron-enable-bridge-firewall.sh
+++ b/files/default/neutron-enable-bridge-firewall.sh
@ -0,0 +1,7 @@
+#!/bin/sh
+
+# this script is intentionally reduced to an exit call to eliminate the
+# automatic invocation of iptables.
+# lp: https://bugs.launchpad.net/neutron/+bug/1622914
+# bz: https://bugzilla.redhat.com/show_bug.cgi?id=1421022
+exit 0
--- a/recipes/default.rb
+++ b/recipes/default.rb
@ -73,6 +73,15 @@ template '/etc/neutron/rootwrap.conf' do
  )
 end

+cookbook_file '/usr/bin/neutron-enable-bridge-firewall.sh' do
+  source 'neutron-enable-bridge-firewall.sh'
+  owner 'root'
+  group 'wheel'
+  mode '0755'
+  action :create
+  only_if { node['platform_family'] == 'redhat' }
+end
+
 if node['openstack']['mq']['service_type'] == 'rabbit'
  node.default['openstack']['network']['conf_secrets']['DEFAULT']['transport_url'] = rabbit_transport_url 'network'
 end