Cleanup /etc/sysconfig/iptables on stack update

When running a stack update, puppetlabs-firewall will execute: service iptables save Which will export all running iptables rules into /etc/sysconfig/iptables to make the rules consistent. We don't want Neutron-managed rules to be consistent, so we need to remove them from /etc/sysconfig/iptables so if iptables is restarted, it won't fail because of some missing namespaces managed by Neutron. See more context on https://bugzilla.redhat.com/show_bug.cgi?id=1541528 Change-Id: Ia38d8e1800c91094f0bdd8744ee608e1757c7d66 Related-Bug: #1747960
2018-02-08 18:14:15 -08:00 · 2018-02-08 18:14:15 -08:00 · 50bd7f1aef
commit 50bd7f1aef
parent 89a790fd4b
1 changed files with 16 additions and 0 deletions
--- a/docker/services/neutron-ovs-agent.yaml
+++ b/docker/services/neutron-ovs-agent.yaml
@ -180,3 +180,19 @@ outputs:
              when:
                - step|int == 2
                - remove_neutron_openvswitch_package|bool
+      update_tasks:
+        # puppetlabs-firewall manages security rules via Puppet but make the rules
+        # consistent by default. Since Neutron also creates some rules, we don't
+        # want them to be consistent so we have to ensure that they're not stored
+        # into sysconfig.
+        # https://bugzilla.redhat.com/show_bug.cgi?id=1541528
+        - name: Remove IPv4 iptables rules created by Neutron that are persistent
+          lineinfile: dest=/etc/sysconfig/iptables
+                      regexp=".*neutron-"
+                      state=absent
+          when: step|int == 5
+        - name: Remove IPv6 iptables rules created by Neutron that are persistent
+          lineinfile: dest=/etc/sysconfig/ip6tables
+                      regexp=".*neutron-"
+                      state=absent
+          when: step|int == 5