Browse Source

Add firewall support for opensuse

openSUSE Leap uses its own firewall manager called SuSEfirewall2, which
is capable of loading custom iptables rules. This patch adds the
necessary configuration to tell SuSEfirewall2 where to look for custom
firewall rules so that we can manage openSUSE firewall rules in the same
way we manage firewall rules for other images.

Change-Id: Ifaebda6c7775244668710340831e12aabf9e86bc
tags/before-jenkins-config-removed
Colleen Murphy 2 years ago
parent
commit
ffafa8f773

+ 1
- 1
nodepool/elements/infra-package-needs/pkg-map View File

@@ -36,7 +36,7 @@
36 36
       "puppet": "ruby2.1-rubygem-puppet",
37 37
       "python-dev": "python-devel",
38 38
       "python3-dev": "python3-devel",
39
-      "iptables": "iptables",
39
+      "iptables": "iptables SuSEfirewall2",
40 40
       "uuid-runtime": "uuidd"
41 41
     }
42 42
   },

+ 16
- 0
nodepool/elements/nodepool-base/install.d/20-iptables View File

@@ -28,6 +28,10 @@ elif [[ "$DISTRO_NAME" =~ (centos|fedora) ]] ; then
28 28
     rules_dir=/etc/sysconfig
29 29
     ipv4_rules=${rules_dir}/iptables
30 30
     ipv6_rules=${rules_dir}/ip6tables
31
+elif [[ "$DISTRO_NAME" =~ 'opensuse' ]] ; then
32
+    rules_dir=/etc/sysconfig
33
+    ipv4_rules=${rules_dir}/iptables
34
+    ipv6_rules=${rules_dir}/ip6tables
31 35
 else
32 36
     echo "Unsupported operating system $DISTRO_NAME"
33 37
     exit 1
@@ -82,3 +86,15 @@ cat > $ipv6_rules << EOF
82 86
 -A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
83 87
 COMMIT
84 88
 EOF
89
+
90
+if [[ "$DISTRO_NAME" =~ 'opensuse' ]] ; then
91
+    sed -i -e 's,^FW_CUSTOMRULES=.*$,FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom",' /etc/sysconfig/SuSEfirewall2
92
+
93
+    cat > /etc/sysconfig/scripts/SuSEfirewall2-custom <<EOF
94
+fw_custom_after_finished() {
95
+    /usr/sbin/iptables-restore $ipv4_rules
96
+    /usr/sbin/ip6tables-restore $ipv6_rules
97
+}
98
+EOF
99
+
100
+fi

+ 2
- 0
nodepool/elements/nodepool-base/post-install.d/20-iptables View File

@@ -28,6 +28,8 @@ if [[ "$DISTRO_NAME" =~ (debian|ubuntu) ]] ; then
28 28
     fi
29 29
 elif [[ "$DISTRO_NAME" =~ (centos|fedora) ]] ; then
30 30
     service_name=iptables
31
+elif [[ "$DISTRO_NAME" == 'opensuse' ]] ; then
32
+    service_name=SuSEfirewall2
31 33
 else
32 34
     echo "Unsupported operating system $DISTRO_NAME"
33 35
     exit 1

Loading…
Cancel
Save