Merge "firewall: don't reload IPtables after cleanup"
This commit is contained in:
commit
0f70e273d2
|
@ -131,35 +131,24 @@ class tripleo::firewall(
|
||||||
$service_names = hiera('service_names', [])
|
$service_names = hiera('service_names', [])
|
||||||
tripleo::firewall::service_rules { $service_names: }
|
tripleo::firewall::service_rules { $service_names: }
|
||||||
|
|
||||||
# puppetlabs-firewall manages security rules via Puppet but make the rules
|
|
||||||
# consistent by default. Since Neutron also creates some rules, we don't
|
# puppetlabs-firewall only manages the current state of iptables
|
||||||
# want them to be consistent so we have to ensure that they're not stored
|
# rules and writes out the rules to a file to ensure they are
|
||||||
# into sysconfig.
|
# persisted. We are specifically running the following commands after the
|
||||||
|
# iptables rules to ensure the persisted file does not contain any
|
||||||
|
# ephemeral neutron rules. Neutron assumes the iptables rules are not
|
||||||
|
# persisted so it may cause an issue if the rule is loaded on boot
|
||||||
|
# (or via iptables restart). If an operator needs to reload iptables
|
||||||
|
# for any reason, they may need to manually reload the appropriate
|
||||||
|
# neutron agent to restore these iptables rules.
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1541528
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1541528
|
||||||
# Also, we need to reload IPtables after the cleanup to make sure rules aren't persistent
|
|
||||||
# anymore.
|
|
||||||
# NOTE(aschultz): this needs to be a reload and not a restart due to
|
|
||||||
# BZ#1520534 where iptables my unload modules (like openvswitch) when it
|
|
||||||
# restarts.
|
|
||||||
exec { 'nonpersistent_v4_rules_cleanup':
|
exec { 'nonpersistent_v4_rules_cleanup':
|
||||||
command => '/bin/sed -i /neutron-/d /etc/sysconfig/iptables',
|
command => '/bin/sed -i /neutron-/d /etc/sysconfig/iptables',
|
||||||
onlyif => '/bin/test -f /etc/sysconfig/iptables && /bin/grep -v neutron- /etc/sysconfig/iptables',
|
onlyif => '/bin/test -f /etc/sysconfig/iptables && /bin/grep -q neutron- /etc/sysconfig/iptables',
|
||||||
notify => Exec['reload_iptables'],
|
|
||||||
}
|
|
||||||
exec { 'reload_iptables':
|
|
||||||
command => 'systemctl reload iptables',
|
|
||||||
path => ['/usr/bin', '/usr/sbin', '/bin', '/sbin'],
|
|
||||||
refreshonly => true,
|
|
||||||
}
|
}
|
||||||
exec { 'nonpersistent_v6_rules_cleanup':
|
exec { 'nonpersistent_v6_rules_cleanup':
|
||||||
command => '/bin/sed -i /neutron-/d /etc/sysconfig/ip6tables',
|
command => '/bin/sed -i /neutron-/d /etc/sysconfig/ip6tables',
|
||||||
onlyif => '/bin/test -f /etc/sysconfig/ip6tables && /bin/grep -v neutron- /etc/sysconfig/ip6tables',
|
onlyif => '/bin/test -f /etc/sysconfig/ip6tables && /bin/grep -q neutron- /etc/sysconfig/ip6tables',
|
||||||
notify => Exec['reload_ip6tables'],
|
|
||||||
}
|
|
||||||
exec { 'reload_ip6tables':
|
|
||||||
command => 'systemctl reload ip6tables',
|
|
||||||
path => ['/usr/bin', '/usr/sbin', '/bin', '/sbin'],
|
|
||||||
refreshonly => true,
|
|
||||||
}
|
}
|
||||||
Firewall<| |> -> Exec['nonpersistent_v4_rules_cleanup']
|
Firewall<| |> -> Exec['nonpersistent_v4_rules_cleanup']
|
||||||
Firewall<| |> -> Exec['nonpersistent_v6_rules_cleanup']
|
Firewall<| |> -> Exec['nonpersistent_v6_rules_cleanup']
|
||||||
|
|
Loading…
Reference in New Issue