Prevent triggering firewall actions while configuring HA services

When a fence_xvm stonith device is configured, puppet module fence_xvm creates firewall rules to configure this fencing device. When transient containers *_init_bundle run at step 5 or above, fence_xvm will end up calling iptables, which is forbidden from such containers. We can't noop the firewall resources like we did in [1], because fence_xvm makes use of specific providers for some resources [2]. So instead, we do not include module fence_xvm when running from a container. This is safe because the firewall rules needed for the fencing configuration are still created when puppet is executed on the host at step 5. (Besides, only that fencing device requires firewall rules) [1] https://github.com/openstack/tripleo-heat-templates/blob/master/docker/services/pacemaker/haproxy.yaml#L160 [2] e.g. https://github.com/openstack/puppet-pacemaker/blob/master/manifests/stonith/fence_xvm.pp#L237 Change-Id: I595f8bc22e76868b7dace400667d53f3c4565248 Related: rhbz#1598904
2018-07-18 11:02:41 -04:00 · 2018-07-18 11:02:41 -04:00 · 907853e35f
commit 907853e35f
parent 85a302b9a1
1 changed files with 4 additions and 2 deletions
--- a/manifests/fencing.pp
+++ b/manifests/fencing.pp
@ -67,8 +67,10 @@ class tripleo::fencing(

  $all_devices = $config['devices']

-  $xvm_devices = local_fence_devices('fence_xvm', $all_devices)
-  create_resources('pacemaker::stonith::fence_xvm', $xvm_devices, $common_params)
+  if $::uuid != 'docker' {
+    $xvm_devices = local_fence_devices('fence_xvm', $all_devices)
+    create_resources('pacemaker::stonith::fence_xvm', $xvm_devices, $common_params)
+  }

  $ipmilan_devices = local_fence_devices('fence_ipmilan', $all_devices)
  create_resources('pacemaker::stonith::fence_ipmilan', $ipmilan_devices, $common_params)