firewall: don't reload IPtables after cleanup

This patch stops the IPtables reload when doing Neutron rules cleanup.

Full context:
puppetlabs-firewall only manages the current state of iptables
rules and writes out the rules to a file to ensure they are
persisted. We are specifically running the following commands after the
iptables rules to ensure the persisted file does not contain any
ephemeral neutron rules. Neutron assumes the iptables rules are not
persisted so it may cause an issue if the rule is loaded on boot
(or via iptables restart). If an operator needs to reload iptables
for any reason, they may need to manually reload the appropriate
neutron agent to restore these iptables rules.

rhbz#1541528
Related-Bug: #1747960
Change-Id: I1ab3a52306b91baadb70d2210a378417087f1ecf
(cherry picked from commit 5fc0b5600d)
This commit is contained in:
Emilien Macchi 2018-03-11 08:30:19 +01:00
parent 75fac1a938
commit 26dfe7aaba
1 changed files with 12 additions and 23 deletions

View File

@ -104,35 +104,24 @@ class tripleo::firewall(
$service_names = hiera('service_names', [])
tripleo::firewall::service_rules { $service_names: }
# puppetlabs-firewall manages security rules via Puppet but make the rules
# consistent by default. Since Neutron also creates some rules, we don't
# want them to be consistent so we have to ensure that they're not stored
# into sysconfig.
# puppetlabs-firewall only manages the current state of iptables
# rules and writes out the rules to a file to ensure they are
# persisted. We are specifically running the following commands after the
# iptables rules to ensure the persisted file does not contain any
# ephemeral neutron rules. Neutron assumes the iptables rules are not
# persisted so it may cause an issue if the rule is loaded on boot
# (or via iptables restart). If an operator needs to reload iptables
# for any reason, they may need to manually reload the appropriate
# neutron agent to restore these iptables rules.
# https://bugzilla.redhat.com/show_bug.cgi?id=1541528
# Also, we need to reload IPtables after the cleanup to make sure rules aren't persistent
# anymore.
# NOTE(aschultz): this needs to be a reload and not a restart due to
# BZ#1520534 where iptables my unload modules (like openvswitch) when it
# restarts.
exec { 'nonpersistent_v4_rules_cleanup':
command => '/bin/sed -i /neutron-/d /etc/sysconfig/iptables',
onlyif => '/bin/test -f /etc/sysconfig/iptables && /bin/grep -v neutron- /etc/sysconfig/iptables',
notify => Exec['reload_iptables'],
}
exec { 'reload_iptables':
command => 'systemctl reload iptables',
path => ['/usr/bin', '/usr/sbin', '/bin', '/sbin'],
refreshonly => true,
onlyif => '/bin/test -f /etc/sysconfig/iptables && /bin/grep -q neutron- /etc/sysconfig/iptables',
}
exec { 'nonpersistent_v6_rules_cleanup':
command => '/bin/sed -i /neutron-/d /etc/sysconfig/ip6tables',
onlyif => '/bin/test -f /etc/sysconfig/ip6tables && /bin/grep -v neutron- /etc/sysconfig/ip6tables',
notify => Exec['reload_ip6tables'],
}
exec { 'reload_ip6tables':
command => 'systemctl reload ip6tables',
path => ['/usr/bin', '/usr/sbin', '/bin', '/sbin'],
refreshonly => true,
onlyif => '/bin/test -f /etc/sysconfig/ip6tables && /bin/grep -q neutron- /etc/sysconfig/ip6tables',
}
Firewall<| |> -> Exec['nonpersistent_v4_rules_cleanup']
Firewall<| |> -> Exec['nonpersistent_v6_rules_cleanup']