Disable firewalld always

We've bike-sheded over this before (I5252a12223a35f7fb7a4ac3c58aa4a3cd1bc4799) but I have just traced down further issues to firewalld with neutron+ipv6 (see the bug). In fact, as mentioned in the comments, RDO disables firewalld and the neutron guide says to disable it [1]. The force flag is left if anyone really wants this; but nobody is testing (or, as far as I can tell, working on) this so bring devstack back into line and disable it always. Note we do not remove the package; as has been found in the puppet scripts this can lead to dependency issues. [1] http://docs.openstack.org/developer/devstack/guides/neutron.html Change-Id: Ief7cb33d926a9538f4eb39c74d906ee0c879de35 Partial-Bug: 1455303
2015-05-15 13:12:02 +10:00 · 2015-05-15 13:12:02 +10:00 · 3380a16974
commit 3380a16974
parent 9e220b9b2b
2 changed files with 18 additions and 20 deletions
--- a/lib/nova_plugins/functions-libvirt
+++ b/lib/nova_plugins/functions-libvirt
@ -39,17 +39,6 @@ function install_libvirt {
        pip_install_gr libvirt-python
        install_package python-libguestfs
    fi
-
-    # Restart firewalld after install of libvirt to avoid a problem
-    # with polkit, which libvirtd brings in.  See
-    # https://bugzilla.redhat.com/show_bug.cgi?id=1099031
-
-    # Note there is a difference between F20 rackspace cloud images
-    # and HP images used in the gate; rackspace has firewalld but hp
-    # cloud doesn't.
-    if is_fedora && is_package_installed firewalld; then
-        sudo service firewalld restart || true
-    fi
 }

 # Configures the installed libvirt system so that is accessible by
--- a/tools/fixup_stuff.sh
+++ b/tools/fixup_stuff.sh
@ -109,19 +109,28 @@ if is_fedora; then
    fi

    FORCE_FIREWALLD=$(trueorfalse False $FORCE_FIREWALLD)
-    if [[ ${DISTRO} =~ (f20) && $FORCE_FIREWALLD == "False" ]]; then
+    if [[ $FORCE_FIREWALLD == "False" ]]; then
        # On Fedora 20 firewalld interacts badly with libvirt and
-        # slows things down significantly.  However, for those cases
-        # where that combination is desired, allow this fix to be skipped.
-
-        # There was also an additional issue with firewalld hanging
-        # after install of libvirt with polkit.  See
-        # https://bugzilla.redhat.com/show_bug.cgi?id=1099031
+        # slows things down significantly (this issue was fixed in
+        # later fedoras).  There was also an additional issue with
+        # firewalld hanging after install of libvirt with polkit [1].
+        # firewalld also causes problems with neturon+ipv6 [2]
+        #
+        # Note we do the same as the RDO packages and stop & disable,
+        # rather than remove.  This is because other packages might
+        # have the dependency [3][4].
+        #
+        # [1] https://bugzilla.redhat.com/show_bug.cgi?id=1099031
+        # [2] https://bugs.launchpad.net/neutron/+bug/1455303
+        # [3] https://github.com/redhat-openstack/openstack-puppet-modules/blob/master/firewall/manifests/linux/redhat.pp
+        # [4] http://docs.openstack.org/developer/devstack/guides/neutron.html
        if is_package_installed firewalld; then
-            uninstall_package firewalld
+            sudo systemctl disable firewalld
+            sudo systemctl enable iptables
+            sudo systemctl stop firewalld
+            sudo systemctl start iptables
        fi
    fi
-
 fi

 # The version of pip(1.5.4) supported by python-virtualenv(1.11.4) has