Reload iptables instead of restart

Due to bz#1520534, restarting iptables may cause unrelated kernel
modules to be unloaded. In order to not trigger this condition we should
reload iptables from the configuration rather than restart the whole
process.

Change-Id: Ifc625eb51f6cc2a0a4cf4f83ac7a4978db641d75
Closes-Bug: #1752441
Closes-Bug: #1753492
This commit is contained in:
Alex Schultz 2018-03-05 11:06:52 -07:00
parent b3d0b2f25a
commit bb5013920a

View File

@ -136,25 +136,28 @@ class tripleo::firewall(
# want them to be consistent so we have to ensure that they're not stored # want them to be consistent so we have to ensure that they're not stored
# into sysconfig. # into sysconfig.
# https://bugzilla.redhat.com/show_bug.cgi?id=1541528 # https://bugzilla.redhat.com/show_bug.cgi?id=1541528
# Also, we need to restart IPtables after the cleanup to make sure rules aren't persistent # Also, we need to reload IPtables after the cleanup to make sure rules aren't persistent
# anymore. # anymore.
# NOTE(aschultz): this needs to be a reload and not a restart due to
# BZ#1520534 where iptables my unload modules (like openvswitch) when it
# restarts.
exec { 'nonpersistent_v4_rules_cleanup': exec { 'nonpersistent_v4_rules_cleanup':
command => '/bin/sed -i /neutron-/d /etc/sysconfig/iptables', command => '/bin/sed -i /neutron-/d /etc/sysconfig/iptables',
onlyif => '/bin/test -f /etc/sysconfig/iptables && /bin/grep -v neutron- /etc/sysconfig/iptables', onlyif => '/bin/test -f /etc/sysconfig/iptables && /bin/grep -v neutron- /etc/sysconfig/iptables',
notify => Exec['restart_iptables'], notify => Exec['reload_iptables'],
} }
exec { 'restart_iptables': exec { 'reload_iptables':
command => 'sudo service iptables restart', command => 'systemctl reload iptables',
path => ['/usr/bin', '/usr/sbin', '/bin', '/sbin'], path => ['/usr/bin', '/usr/sbin', '/bin', '/sbin'],
refreshonly => true, refreshonly => true,
} }
exec { 'nonpersistent_v6_rules_cleanup': exec { 'nonpersistent_v6_rules_cleanup':
command => '/bin/sed -i /neutron-/d /etc/sysconfig/ip6tables', command => '/bin/sed -i /neutron-/d /etc/sysconfig/ip6tables',
onlyif => '/bin/test -f /etc/sysconfig/ip6tables && /bin/grep -v neutron- /etc/sysconfig/ip6tables', onlyif => '/bin/test -f /etc/sysconfig/ip6tables && /bin/grep -v neutron- /etc/sysconfig/ip6tables',
notify => Exec['restart_ip6tables'], notify => Exec['reload_ip6tables'],
} }
exec { 'restart_ip6tables': exec { 'reload_ip6tables':
command => 'sudo service ip6tables restart', command => 'systemctl reload ip6tables',
path => ['/usr/bin', '/usr/sbin', '/bin', '/sbin'], path => ['/usr/bin', '/usr/sbin', '/bin', '/sbin'],
refreshonly => true, refreshonly => true,
} }