openstack
/
puppet-tripleo
Code Issues Proposed changes

Fix duplicate entries in /etc/sysconfig/iptables 

Commit 94ca328e5d
introduced filters for ephemeral firewall rules
managed by Ironic Inspectors iptables PXE filter.
These new filters cause duplicate entries in the
persisted firewall rules.

sed expression '/-m comment --comment/p' was used
to ensure the ironic-inspector api port is not
accidentally removed. But the expression also
matches several other entries causing duplicates
to be written.

This change enhances the expression to check for
'-m comment --comment' and 'ironic-inspector'.

Closes-Bug: #1771128
Change-Id: I0a75a7aff9b1a0afbad63e4b6b5159f4351c7ee8
This commit is contained in:
Harald Jensås 2018-05-14 20:38:18 +02:00 committed by Alex Schultz
parent b2d7cab5f1
commit cafb998f9e
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
manifests/firewall.pp
View File

@ -156,14 +156,14 @@ class tripleo::firewall(
# https://bugs.launchpad.net/tripleo/+bug/1765700
# https://storyboard.openstack.org/#!/story/2001890
exec { 'nonpersistent_ironic_inspector_pxe_filter_v4_rules_cleanup':
command => '/bin/sed -i "/-m comment --comment/p;/ironic-inspector/d" /etc/sysconfig/iptables',
command => '/bin/sed -i "/-m comment --comment.*ironic-inspector/p;/ironic-inspector/d" /etc/sysconfig/iptables',
onlyif => [
'/bin/test -f /etc/sysconfig/iptables',
'/bin/grep -v "\-m comment \--comment" /etc/sysconfig/iptables | /bin/grep -q ironic-inspector'
]
}
exec { 'nonpersistent_ironic_inspector_pxe_filter_v6_rules_cleanup':
command => '/bin/sed -i "/-m comment --comment/p;/ironic-inspector/d" /etc/sysconfig/ip6tables',
command => '/bin/sed -i "/-m comment --comment.*ironic-inspector/p;/ironic-inspector/d" /etc/sysconfig/ip6tables',
onlyif => [
'/bin/test -f /etc/sysconfig/ip6tables',
'/bin/grep -v "\-m comment \--comment" /etc/sysconfig/ip6tables | /bin/grep -q ironic-inspector'