Cleanup /etc/sysconfig/iptables on stack update
When running a stack update, puppetlabs-firewall will execute: service iptables save Which will export all running iptables rules into /etc/sysconfig/iptables to make the rules consistent. We don't want Neutron-managed rules to be consistent, so we need to remove them from /etc/sysconfig/iptables so if iptables is restarted, it won't fail because of some missing namespaces managed by Neutron. See more context on https://bugzilla.redhat.com/show_bug.cgi?id=1541528 Change-Id: Ia38d8e1800c91094f0bdd8744ee608e1757c7d66 Related-Bug: #1747960
This commit is contained in:
parent
89a790fd4b
commit
50bd7f1aef
@ -180,3 +180,19 @@ outputs:
|
||||
when:
|
||||
- step|int == 2
|
||||
- remove_neutron_openvswitch_package|bool
|
||||
update_tasks:
|
||||
# puppetlabs-firewall manages security rules via Puppet but make the rules
|
||||
# consistent by default. Since Neutron also creates some rules, we don't
|
||||
# want them to be consistent so we have to ensure that they're not stored
|
||||
# into sysconfig.
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1541528
|
||||
- name: Remove IPv4 iptables rules created by Neutron that are persistent
|
||||
lineinfile: dest=/etc/sysconfig/iptables
|
||||
regexp=".*neutron-"
|
||||
state=absent
|
||||
when: step|int == 5
|
||||
- name: Remove IPv6 iptables rules created by Neutron that are persistent
|
||||
lineinfile: dest=/etc/sysconfig/ip6tables
|
||||
regexp=".*neutron-"
|
||||
state=absent
|
||||
when: step|int == 5
|
||||
|
Loading…
x
Reference in New Issue
Block a user