From 3380a16974defc62db65fbc8e30e2510b57b84b6 Mon Sep 17 00:00:00 2001
From: Ian Wienand <iwienand@redhat.com>
Date: Fri, 15 May 2015 13:12:02 +1000
Subject: [PATCH] Disable firewalld always

We've bike-sheded over this before
(I5252a12223a35f7fb7a4ac3c58aa4a3cd1bc4799) but I have just traced
down further issues to firewalld with neutron+ipv6 (see the bug).

In fact, as mentioned in the comments, RDO disables firewalld and the
neutron guide says to disable it [1].  The force flag is left if
anyone really wants this; but nobody is testing (or, as far as I can
tell, working on) this so bring devstack back into line and disable it
always.  Note we do not remove the package; as has been found in the
puppet scripts this can lead to dependency issues.

[1] http://docs.openstack.org/developer/devstack/guides/neutron.html

Change-Id: Ief7cb33d926a9538f4eb39c74d906ee0c879de35
Partial-Bug: 1455303
---
 lib/nova_plugins/functions-libvirt | 11 -----------
 tools/fixup_stuff.sh               | 27 ++++++++++++++++++---------
 2 files changed, 18 insertions(+), 20 deletions(-)

diff --git a/lib/nova_plugins/functions-libvirt b/lib/nova_plugins/functions-libvirt
index 04da5e2b60..96d8a44b05 100755
--- a/lib/nova_plugins/functions-libvirt
+++ b/lib/nova_plugins/functions-libvirt
@@ -39,17 +39,6 @@ function install_libvirt {
         pip_install_gr libvirt-python
         install_package python-libguestfs
     fi
-
-    # Restart firewalld after install of libvirt to avoid a problem
-    # with polkit, which libvirtd brings in.  See
-    # https://bugzilla.redhat.com/show_bug.cgi?id=1099031
-
-    # Note there is a difference between F20 rackspace cloud images
-    # and HP images used in the gate; rackspace has firewalld but hp
-    # cloud doesn't.
-    if is_fedora && is_package_installed firewalld; then
-        sudo service firewalld restart || true
-    fi
 }
 
 # Configures the installed libvirt system so that is accessible by
diff --git a/tools/fixup_stuff.sh b/tools/fixup_stuff.sh
index 2efb4e0987..31258d13f7 100755
--- a/tools/fixup_stuff.sh
+++ b/tools/fixup_stuff.sh
@@ -109,19 +109,28 @@ if is_fedora; then
     fi
 
     FORCE_FIREWALLD=$(trueorfalse False $FORCE_FIREWALLD)
-    if [[ ${DISTRO} =~ (f20) && $FORCE_FIREWALLD == "False" ]]; then
+    if [[ $FORCE_FIREWALLD == "False" ]]; then
         # On Fedora 20 firewalld interacts badly with libvirt and
-        # slows things down significantly.  However, for those cases
-        # where that combination is desired, allow this fix to be skipped.
-
-        # There was also an additional issue with firewalld hanging
-        # after install of libvirt with polkit.  See
-        # https://bugzilla.redhat.com/show_bug.cgi?id=1099031
+        # slows things down significantly (this issue was fixed in
+        # later fedoras).  There was also an additional issue with
+        # firewalld hanging after install of libvirt with polkit [1].
+        # firewalld also causes problems with neturon+ipv6 [2]
+        #
+        # Note we do the same as the RDO packages and stop & disable,
+        # rather than remove.  This is because other packages might
+        # have the dependency [3][4].
+        #
+        # [1] https://bugzilla.redhat.com/show_bug.cgi?id=1099031
+        # [2] https://bugs.launchpad.net/neutron/+bug/1455303
+        # [3] https://github.com/redhat-openstack/openstack-puppet-modules/blob/master/firewall/manifests/linux/redhat.pp
+        # [4] http://docs.openstack.org/developer/devstack/guides/neutron.html
         if is_package_installed firewalld; then
-            uninstall_package firewalld
+            sudo systemctl disable firewalld
+            sudo systemctl enable iptables
+            sudo systemctl stop firewalld
+            sudo systemctl start iptables
         fi
     fi
-
 fi
 
 # The version of pip(1.5.4) supported by python-virtualenv(1.11.4) has