openstack/fuel-library
Code Issues Proposed changes

Add --wait to iptables calls

Browse Source 
This change updates the calls that we us in the ocf scripts to determine
if the rules are present to include the -w flag to prevent the scripts
from failing if another iptables call is currently running. It has been
reported that this can occur when the ocf scripts are running in
parallel to the puppet deployment (firewall task)

Change-Id: Ia603f5643720a5fa5407de36ca75830a7c3f57fa
Closes-Bug: #1605540
This commit is contained in:
Alex Schultz 2016-08-15 09:48:57 -06:00
parent 3abe37493d
commit 10dd6a082e
2 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
files/fuel-ha-utils/ocf/ns_haproxy
View File

@ -264,9 +264,9 @@ block_client_access()
# do not add temporary SYN blocking rule, if it is already exist # do not add temporary SYN blocking rule, if it is already exist
# otherwise, try to add a blocking rule with max of 5 retries # otherwise, try to add a blocking rule with max of 5 retries
local tries=5 local tries=5
until $($RUN_IN_NS iptables -t filter -nvL | grep -q 'temporary SYN block') || [ $tries -eq 0 ]; do until $($RUN_IN_NS iptables -t filter -nvL --wait | grep -q 'temporary SYN block') || [ $tries -eq 0 ]; do
tries=$((tries-1)) tries=$((tries-1))
ocf_run $RUN_IN_NS iptables -t filter -I INPUT -p tcp \ ocf_run $RUN_IN_NS iptables --wait -t filter -I INPUT -p tcp \
-m comment --comment 'temporary SYN block' --syn -j DROP -m comment --comment 'temporary SYN block' --syn -j DROP
sleep 1 sleep 1
done done
@ -281,8 +281,8 @@ block_client_access()
unblock_client_access() unblock_client_access()
{ {
# remove all temporary SYN blocking rules, if there are more than one exist # remove all temporary SYN blocking rules, if there are more than one exist
for i in $($RUN_IN_NS iptables -t filter -nvL --line-numbers | awk '/temporary SYN block/ {print $1}'); do for i in $($RUN_IN_NS iptables -t filter -nvL --wait --line-numbers | awk '/temporary SYN block/ {print $1}'); do
ocf_run $RUN_IN_NS iptables -t filter -D INPUT -p tcp \ ocf_run $RUN_IN_NS iptables --wait -t filter -D INPUT -p tcp \
-m comment --comment 'temporary SYN block' --syn -j DROP -m comment --comment 'temporary SYN block' --syn -j DROP
done done
} }
@ -372,10 +372,10 @@ set_ns_routing() {
fi fi
# set masquerade on host node # set masquerade on host node
iptables -n -t nat -L | grep -q masquerade-for-haproxy-namespace iptables -n --wait -t nat -L | grep -q masquerade-for-haproxy-namespace
if [ $? -gt 0 ]; then if [ $? -gt 0 ]; then
ocf_log debug "Creating NAT rule on the host system for traffic from IP: ${OCF_RESKEY_namespace_ip}" ocf_log debug "Creating NAT rule on the host system for traffic from IP: ${OCF_RESKEY_namespace_ip}"
ocf_run iptables -t nat -A POSTROUTING -s "${OCF_RESKEY_namespace_ip}" -j MASQUERADE -m comment --comment "masquerade-for-haproxy-namespace" ocf_run iptables --wait -t nat -A POSTROUTING -s "${OCF_RESKEY_namespace_ip}" -j MASQUERADE -m comment --comment "masquerade-for-haproxy-namespace"
fi fi
### Needed for ML2 routing ### ### Needed for ML2 routing ###

4
files/fuel-ha-utils/ocf/ns_vrouter
View File

@ -257,10 +257,10 @@ set_ns_routing() {
fi fi
# set masquerade on host node # set masquerade on host node
iptables -n -t nat -L | grep -q masquerade-for-vrouter-namespace iptables -n --wait -t nat -L | grep -q masquerade-for-vrouter-namespace
if [ $? -gt 0 ]; then if [ $? -gt 0 ]; then
ocf_log debug "Creating NAT rule on the host system for traffic from IP: ${OCF_RESKEY_namespace_ip}" ocf_log debug "Creating NAT rule on the host system for traffic from IP: ${OCF_RESKEY_namespace_ip}"
ocf_run iptables -t nat -A POSTROUTING -s "${OCF_RESKEY_namespace_ip}" -j MASQUERADE -m comment --comment "masquerade-for-vrouter-namespace" ocf_run iptables --wait -t nat -A POSTROUTING -s "${OCF_RESKEY_namespace_ip}" -j MASQUERADE -m comment --comment "masquerade-for-vrouter-namespace"
fi fi
### Needed for ML2 routing ### ### Needed for ML2 routing ###