Use iptables for openSUSE

In openSUSE Tumbleweed, the SuSEfirewall2 package was removed in favor
of firewalld[1]. This commit updates the openSUSE nodeset to use plain
iptables rather than injecting iptables rules into the SuSEfirewall2
service. This will work on both Tumbleweed and Leap nodesets.

openSUSE provides no iptables-service package the way the RHEL family
does, so we can't fall back to that. Rather than try to convert iptables
rules to firewalld syntax, this change leverages init.d to ensure
iptables rules are loaded at boot. The 89-unbound script has been
coopted for this purpose since it already creates
/etc/init.d/boot.local. Switched from `dd` to `cat` which makes
conditionally composing the file more natural.

[1] https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html

Change-Id: Ia2b72e25078efa68019f1bf7c7a0b77e6ff702fd

nodepool/elements/infra-package-needs/pkg-map

@@ -49,7 +49,7 @@
       "python-dev": "python-devel",
       "python3-dev": "python3-devel",
       "python3": "python3",
-      "iptables": "iptables SuSEfirewall2",
+      "iptables": "iptables",
       "uuid-runtime": "uuidd"
     }
   },

nodepool/elements/nodepool-base/finalise.d/89-boot-settings

@@ -124,7 +124,7 @@ else
     # [1] https://bugzilla.redhat.com/show_bug.cgi?id=1386052
     if [[ ! -e /etc/rc.local ]] && [[ ! -e /etc/debian_version ]]; then
         if [[ ! -d /etc/rc.d ]]; then
-            echo "No rc.local and no rc.d directory!  See comments in 89-unbound"
+            echo "No rc.local and no rc.d directory!  See comments in 89-boot-settings"
             exit 1
         fi
         touch /etc/rc.d/rc.local
@@ -137,7 +137,7 @@ fi
 
 # Overwrite /etc/resolv.conf at boot (let's hope nothing else is using
 # rc.local...)
-dd of=$rclocal <<EOF
+cat >$rclocal <<EOF
 #!/bin/bash
 set -o xtrace
 
@@ -150,6 +150,16 @@ set -e
 
 echo 'nameserver 127.0.0.1' > /etc/resolv.conf
 
+EOF
+# openSUSE doesn't have an iptables service, so apply the iptables rules at boot
+if [[ "${DISTRO_NAME}" =~ (opensuse) ]] ; then
+    cat >>$rclocal <<EOF
+iptables-restore /etc/sysconfig/iptables
+ip6tables-restore /etc/sysconfig/ip6tables
+
+EOF
+fi
+cat >>$rclocal <<EOF
 exit 0
 EOF
 

nodepool/elements/nodepool-base/install.d/20-iptables

@@ -90,14 +90,3 @@ cat > $ipv6_rules << EOF
 -A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
 COMMIT
 EOF
-
-if [[ "$DISTRO_NAME" =~ 'opensuse' ]] ; then
-    sed -i -e 's,^FW_CUSTOMRULES=.*$,FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom",' /etc/sysconfig/SuSEfirewall2
-
-    cat > /etc/sysconfig/scripts/SuSEfirewall2-custom <<EOF
-fw_custom_after_finished() {
-    /usr/sbin/iptables-restore $ipv4_rules
-    /usr/sbin/ip6tables-restore $ipv6_rules
-}
-EOF
-fi

nodepool/elements/nodepool-base/post-install.d/20-iptables

@@ -29,7 +29,8 @@ if [[ "$DISTRO_NAME" =~ (debian|ubuntu) ]] ; then
 elif [[ "$DISTRO_NAME" =~ (centos|rhel7|fedora) ]] ; then
     service_name=iptables
 elif [[ "$DISTRO_NAME" == 'opensuse' ]] ; then
-    service_name=SuSEfirewall2
+    # handle iptables through init.d instead of a service
+    exit 0
 elif [[ "$DISTRO_NAME" == 'gentoo' ]] ; then
     # for use in loops in both openrc and systemd
     service_name='iptables ip6tables'