Ensure firewall rules are saved

If the /etc/sysconfig/ip*tables files are still empty when we reach the Firewall save block. Then we should ensure the rules are saved. Closes-bug: #1956825 Resolves: rhbz#2063232 Change-Id: Idfb2ae61c7aa9725f6e5eb495ed7ea301d4df8b3 (cherry picked from commit 1b37fe3869)
2022-01-08 12:36:31 +00:00 · 2022-01-08 12:36:31 +00:00 · 7f1e4d5e87
parent 6ea190d71d
commit 7f1e4d5e87
1 changed files with 14 additions and 1 deletions
--- a/tripleo_ansible/roles/tripleo-firewall/tasks/main.yml
+++ b/tripleo_ansible/roles/tripleo-firewall/tasks/main.yml
@ -58,9 +58,22 @@
        tripleo_rules: "{{ firewall_rules_sorted }}"
      register: _iptables_result

+    # If the iptables file is still empty at this point, we need to run iptables-save.
+    # We can assume that if the iptables file is empty, the ip6tables file is probably
+    # empty as well. So let's use this to run the Firewall save block in such a case.
+    # bz: https://bugzilla.redhat.com/show_bug.cgi?id=2033570
+    - name: Check for empty ruleset
+      lineinfile:
+        name: /etc/sysconfig/iptables
+        line: "# empty ruleset created by deployed-server bootstrap"
+        state: absent
+      check_mode: true
+      register: _empty_ruleset
+
 - name: Firewall save block
  when:
-    - _iptables_result.changed
+    - _iptables_result.changed or
+      _empty_ruleset.changed
  become: true
  block:
    - name: Save firewall rules ipv4