Firewall: NOT persist ephemetal ironic-inspector rules

When Ironic Inspector is configured to use the iptables pxe_filter driver it uses ephemeral firewall rules. This change ensures that these rules are not persisted. Ironic Inspector iptables filter driver does not set comments on it's rules. This patch use the string: '-m comment --comment' to ensure rules created by puppet-tripleo firewall is not accidentally removed from the persisted firewall rules. Change-Id: Ic90804db8dd74fce78169d9857a150d5ebf40cbb Related-Bug: #1765700
2018-04-21 13:26:44 +02:00 · 2018-04-21 13:26:44 +02:00 · 94ca328e5d
commit 94ca328e5d
parent 81a3dbae50
1 changed files with 22 additions and 0 deletions
--- a/manifests/firewall.pp
+++ b/manifests/firewall.pp
@ -150,7 +150,29 @@ class tripleo::firewall(
      command => '/bin/sed -i /neutron-/d /etc/sysconfig/ip6tables',
      onlyif  => '/bin/test -f /etc/sysconfig/ip6tables && /bin/grep -q neutron- /etc/sysconfig/ip6tables',
    }
+
+    # Do not persist ephemeral firewall rules mananged by ironic-inspector
+    # pxe_filter 'iptables' driver.
+    # https://bugs.launchpad.net/tripleo/+bug/1765700
+    # https://storyboard.openstack.org/#!/story/2001890
+    exec { 'nonpersistent_ironic_inspector_pxe_filter_v4_rules_cleanup':
+      command => '/bin/sed -i "/-m comment --comment/p;/ironic-inspector/d" /etc/sysconfig/iptables',
+      onlyif  => [
+          '/bin/test -f /etc/sysconfig/iptables',
+          '/bin/grep -v "\-m comment \--comment" /etc/sysconfig/iptables | /bin/grep -q ironic-inspector'
+      ]
+    }
+    exec { 'nonpersistent_ironic_inspector_pxe_filter_v6_rules_cleanup':
+      command => '/bin/sed -i "/-m comment --comment/p;/ironic-inspector/d" /etc/sysconfig/ip6tables',
+      onlyif  => [
+          '/bin/test -f /etc/sysconfig/ip6tables',
+          '/bin/grep -v "\-m comment \--comment" /etc/sysconfig/ip6tables | /bin/grep -q ironic-inspector'
+      ]
+    }
+
    Firewall<| |> -> Exec['nonpersistent_v4_rules_cleanup']
    Firewall<| |> -> Exec['nonpersistent_v6_rules_cleanup']
+    Firewall<| |> -> Exec['nonpersistent_ironic_inspector_pxe_filter_v4_rules_cleanup']
+    Firewall<| |> -> Exec['nonpersistent_ironic_inspector_pxe_filter_v6_rules_cleanup']
  }
 }