Browse Source

Revert "[train/backport] Prevent nftables to interfere with tripleo firewall"

This reverts commit c3b24599d7.

Revert "Do not fail if /usr/sbin/nft is not present"

This reverts commit eedb679db9.

The nftables rules are not enabled now after [1] so reverting
the original changes which are not needed.

[1] https://git.centos.org/rpms/nftables/c/3730f48

Related-Bug: #1870095
Related-Bug: #1869166
Closes-Bug: #1887112
Change-Id: Ib3309cbbd6f2ca300ec205528402a3836a6f34df
changes/63/739963/5
yatinkarel 11 months ago
parent
commit
9db0d36614
1 changed files with 10 additions and 29 deletions
  1. +10
    -29
      deployment/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml

+ 10
- 29
deployment/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml View File

@ -68,35 +68,16 @@ outputs:
include ::tripleo::firewall
host_prep_tasks:
list_concat:
- - name: Prevent Nftables to set up any rules
copy:
dest: /etc/sysconfig/nftables.conf
content: |
# This file has been explicitely emptied and disabled by TripleO
# so that nftables and iptables do not race each other
register: nftablesconf
- when: nftablesconf is changed
block:
- name: Flush Nftables rules when nftables.conf changed
shell: if [[ -x /usr/sbin/nft ]]; then /usr/sbin/nft flush ruleset; fi
- name: Restart iptables to restore firewall after flushing nftables
systemd:
state: reloaded
name: "{{item}}"
loop:
- iptables.service
- ip6tables.service
- if:
- no_ctlplane
- -
name: Ensure ctlplane subnet is set
fail:
msg: |
No CIDRs found in the ctlplane network tags.
Please refer to the documentation in order to
set the correct network tags in DeployedServerPortMap.
- null
if:
- no_ctlplane
-
name: Ensure ctlplane subnet is set
fail:
msg: |
No CIDRs found in the ctlplane network tags.
Please refer to the documentation in order to
set the correct network tags in DeployedServerPortMap.
- null
deploy_steps_tasks:
- when: step|int == 0


Loading…
Cancel
Save