Browse Source

Add firewall support for opensuse

openSUSE Leap uses its own firewall manager called SuSEfirewall2, which
is capable of loading custom iptables rules. This patch adds the
necessary configuration to tell SuSEfirewall2 where to look for custom
firewall rules so that we can manage openSUSE firewall rules in the same
way we manage firewall rules for other images.

Change-Id: Ifaebda6c7775244668710340831e12aabf9e86bc
tags/before-jenkins-config-removed
Colleen Murphy 2 years ago
parent
commit
ffafa8f773

+ 1
- 1
nodepool/elements/infra-package-needs/pkg-map View File

@@ -36,7 +36,7 @@
"puppet": "ruby2.1-rubygem-puppet",
"python-dev": "python-devel",
"python3-dev": "python3-devel",
"iptables": "iptables",
"iptables": "iptables SuSEfirewall2",
"uuid-runtime": "uuidd"
}
},

+ 16
- 0
nodepool/elements/nodepool-base/install.d/20-iptables View File

@@ -28,6 +28,10 @@ elif [[ "$DISTRO_NAME" =~ (centos|fedora) ]] ; then
rules_dir=/etc/sysconfig
ipv4_rules=${rules_dir}/iptables
ipv6_rules=${rules_dir}/ip6tables
elif [[ "$DISTRO_NAME" =~ 'opensuse' ]] ; then
rules_dir=/etc/sysconfig
ipv4_rules=${rules_dir}/iptables
ipv6_rules=${rules_dir}/ip6tables
else
echo "Unsupported operating system $DISTRO_NAME"
exit 1
@@ -82,3 +86,15 @@ cat > $ipv6_rules << EOF
-A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
COMMIT
EOF

if [[ "$DISTRO_NAME" =~ 'opensuse' ]] ; then
sed -i -e 's,^FW_CUSTOMRULES=.*$,FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom",' /etc/sysconfig/SuSEfirewall2

cat > /etc/sysconfig/scripts/SuSEfirewall2-custom <<EOF
fw_custom_after_finished() {
/usr/sbin/iptables-restore $ipv4_rules
/usr/sbin/ip6tables-restore $ipv6_rules
}
EOF

fi

+ 2
- 0
nodepool/elements/nodepool-base/post-install.d/20-iptables View File

@@ -28,6 +28,8 @@ if [[ "$DISTRO_NAME" =~ (debian|ubuntu) ]] ; then
fi
elif [[ "$DISTRO_NAME" =~ (centos|fedora) ]] ; then
service_name=iptables
elif [[ "$DISTRO_NAME" == 'opensuse' ]] ; then
service_name=SuSEfirewall2
else
echo "Unsupported operating system $DISTRO_NAME"
exit 1

Loading…
Cancel
Save