From 50bd7f1aef5fe4536870542c6c3009e54c83e12f Mon Sep 17 00:00:00 2001 From: Emilien Macchi Date: Thu, 8 Feb 2018 18:14:15 -0800 Subject: [PATCH] Cleanup /etc/sysconfig/iptables on stack update When running a stack update, puppetlabs-firewall will execute: service iptables save Which will export all running iptables rules into /etc/sysconfig/iptables to make the rules consistent. We don't want Neutron-managed rules to be consistent, so we need to remove them from /etc/sysconfig/iptables so if iptables is restarted, it won't fail because of some missing namespaces managed by Neutron. See more context on https://bugzilla.redhat.com/show_bug.cgi?id=1541528 Change-Id: Ia38d8e1800c91094f0bdd8744ee608e1757c7d66 Related-Bug: #1747960 --- docker/services/neutron-ovs-agent.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/docker/services/neutron-ovs-agent.yaml b/docker/services/neutron-ovs-agent.yaml index 3012e2ff4c..b68249543d 100644 --- a/docker/services/neutron-ovs-agent.yaml +++ b/docker/services/neutron-ovs-agent.yaml @@ -180,3 +180,19 @@ outputs: when: - step|int == 2 - remove_neutron_openvswitch_package|bool + update_tasks: + # puppetlabs-firewall manages security rules via Puppet but make the rules + # consistent by default. Since Neutron also creates some rules, we don't + # want them to be consistent so we have to ensure that they're not stored + # into sysconfig. + # https://bugzilla.redhat.com/show_bug.cgi?id=1541528 + - name: Remove IPv4 iptables rules created by Neutron that are persistent + lineinfile: dest=/etc/sysconfig/iptables + regexp=".*neutron-" + state=absent + when: step|int == 5 + - name: Remove IPv6 iptables rules created by Neutron that are persistent + lineinfile: dest=/etc/sysconfig/ip6tables + regexp=".*neutron-" + state=absent + when: step|int == 5