Cleanup /etc/sysconfig/iptables on stack update

When running a stack update, puppetlabs-firewall will execute:

  service iptables save

Which will export all running iptables rules into
/etc/sysconfig/iptables to make the rules consistent.

We don't want Neutron-managed rules to be consistent, so we need to
remove them from /etc/sysconfig/iptables so if iptables is restarted,
it won't fail because of some missing namespaces managed by Neutron.

See more context on https://bugzilla.redhat.com/show_bug.cgi?id=1541528

Change-Id: Ia38d8e1800c91094f0bdd8744ee608e1757c7d66
Related-Bug: #1747960
This commit is contained in:
Emilien Macchi 2018-02-08 18:14:15 -08:00
parent 89a790fd4b
commit 50bd7f1aef
1 changed files with 16 additions and 0 deletions

View File

@ -180,3 +180,19 @@ outputs:
when:
- step|int == 2
- remove_neutron_openvswitch_package|bool
update_tasks:
# puppetlabs-firewall manages security rules via Puppet but make the rules
# consistent by default. Since Neutron also creates some rules, we don't
# want them to be consistent so we have to ensure that they're not stored
# into sysconfig.
# https://bugzilla.redhat.com/show_bug.cgi?id=1541528
- name: Remove IPv4 iptables rules created by Neutron that are persistent
lineinfile: dest=/etc/sysconfig/iptables
regexp=".*neutron-"
state=absent
when: step|int == 5
- name: Remove IPv6 iptables rules created by Neutron that are persistent
lineinfile: dest=/etc/sysconfig/ip6tables
regexp=".*neutron-"
state=absent
when: step|int == 5