openstack
/
openstack
Code Issues Proposed changes

Update git submodules 

* Update tripleo-heat-templates from branch 'master'
  - Merge "Clean unmanaged rules pushed by iptables-services package"
  - Clean unmanaged rules pushed by iptables-services package
    
    As iptables-services injects default rules, we must ensure,
    upon upgrade, that none of those unmanaged rules are present
    in the firewall, nor in the iptables saved state.
    
    We cannot remove them with puppet nor ansible due to the following
    reasons:
    
    - puppetlabs-firewall, the puppet module used in TripleO, manages
      the firewall resources with comments - the comment value is the
      name of the puppet resource. As the default rules have no comment,
      puppet doesn't "see" them as managed resources, and can't affect
      them.
    
    - we can't simply "flush" all the rules and reapply them, because
      puppet does not manage all the rules - some are managed by neutron,
      for example.
    
    - ansible "iptables" module doesn't make a full match of the chain,
      and might drop the unwanted ones, keeping the unmanaged in place.
      Also, it doesn't take care of the saved state.
    
    SecurityImpact
    Related: https://bugzilla.redhat.com/show_bug.cgi?id=1667887
    Closes-Bug: #1812695
    Change-Id: I59733cb9a0323bbce4e20838a78103a70ec0d426
This commit is contained in:
Zuul 2019-02-05 21:32:53 +00:00 committed by Gerrit Code Review
parent 878fc052b0
commit 261c94e134
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
tripleo-heat-templates

@ -1 +1 @@
Subproject commit ad21014ad9656ee4c84e079549e946cc94616a90
Subproject commit e1062e14e43928084e964d63d8d02f02c59c6b73