From 404d4d0a50f292b1fd6e916cf80813b260621840 Mon Sep 17 00:00:00 2001
From: Paul Bourke <paul.bourke@oracle.com>
Date: Thu, 8 Mar 2018 12:55:05 +0000
Subject: [PATCH] Use zuul firewall rules in gate

Till now we've been flusing iptables in the gates to allow cross node
communication in the multi node ceph jobs. This raised security
concerns, in particular it exposed memcached to the external net.

This patch uses the infra provided role 'multi-node-firewall' in order
to correctly configure iptables. Thanks to Jeremy Stanley and Jeffrey
for help with this.

Closes-Bug: #1749326
Change-Id: Iafaf1cf1d9b0227b0f869969d0bd52fbde3791a0
---
 .zuul.yaml    | 2 ++
 tests/pre.yml | 9 ++-------
 2 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/.zuul.yaml b/.zuul.yaml
index 9e0469389e..268c880387 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -71,6 +71,8 @@
       - ^doc/.*
     vars:
       scenario: aio
+    roles:
+        - zuul: openstack-infra/zuul-jobs
 
 - job:
     name: kolla-ansible-centos-source
diff --git a/tests/pre.yml b/tests/pre.yml
index d236f6f535..446575bee2 100644
--- a/tests/pre.yml
+++ b/tests/pre.yml
@@ -29,10 +29,5 @@
       hostname:
         name: "{{ inventory_hostname }}"
       become: true
-
-# TODO(inc0): we're dropping iptables rules but in fact we should create
-# linuxbridge-managed tunnels for control and dataplane
-
-    - name: Drop iptables rules
-      command: "iptables -F"
-      become: true
+  roles:
+    - multi-node-firewall