Remove neutron-managed firewall rules from /etc/sysconfig/iptables

See https://bugzilla.redhat.com/show_bug.cgi?id=1541528 We don't want IPtables rules managed by Neutron to be persistent, it can cause issues when rule are recreated while a namespace doesn't exist. This patch makes sure that in any Neutron node, no IPtables rule will be persistent if it contains "neutron-" in the name. Change-Id: Ife465c2c6739c3cbfb9923ed97f370baa745739c Related-Bug: #1747960
2018-02-07 11:40:16 -08:00 · 2018-02-07 11:40:16 -08:00 · 3c71c483e3
commit 3c71c483e3
parent a8909732bc
2 changed files with 35 additions and 1 deletions
--- a/manifests/firewall.pp
+++ b/manifests/firewall.pp
@ -103,6 +103,35 @@ class tripleo::firewall(
    #     action: accept
    $service_names = hiera('service_names', [])
    tripleo::firewall::service_rules { $service_names: }
-  }

+    # puppetlabs-firewall manages security rules via Puppet but make the rules
+    # consistent by default. Since Neutron also creates some rules, we don't
+    # want them to be consistent so we have to ensure that they're not stored
+    # into sysconfig.
+    # https://bugzilla.redhat.com/show_bug.cgi?id=1541528
+    # Also, we need to restart IPtables after the cleanup to make sure rules aren't persistent
+    # anymore.
+    exec { 'nonpersistent_v4_rules_cleanup':
+      command => '/bin/sed -i /neutron-/d /etc/sysconfig/iptables',
+      onlyif  => '/bin/test -f /etc/sysconfig/iptables && /bin/grep -v neutron- /etc/sysconfig/iptables',
+      notify  => Exec['restart_iptables'],
+    }
+    exec { 'restart_iptables':
+      command     => 'sudo service iptables restart',
+      path        => ['/usr/bin', '/usr/sbin', '/bin', '/sbin'],
+      refreshonly => true,
+    }
+    exec { 'nonpersistent_v6_rules_cleanup':
+      command => '/bin/sed -i /neutron-/d /etc/sysconfig/ip6tables',
+      onlyif  => '/bin/test -f /etc/sysconfig/ip6tables && /bin/grep -v neutron- /etc/sysconfig/ip6tables',
+      notify  => Exec['restart_ip6tables'],
+    }
+    exec { 'restart_ip6tables':
+      command     => 'sudo service ip6tables restart',
+      path        => ['/usr/bin', '/usr/sbin', '/bin', '/sbin'],
+      refreshonly => true,
+    }
+    Firewall<| |> -> Exec['nonpersistent_v4_rules_cleanup']
+    Firewall<| |> -> Exec['nonpersistent_v6_rules_cleanup']
+  }
 }
--- a/releasenotes/notes/neutron_iptables-9ea317c73b79929d.yaml
+++ b/releasenotes/notes/neutron_iptables-9ea317c73b79929d.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - |
+    IPtables rules managed by Neutron won't be persistent on the host anymore.
+    Instead, they'll be removed (if exist) from /etc/sysconfig/iptables.