Revert "[train/backport] Prevent nftables to interfere with tripleo firewall"
This reverts commitc3b24599d7. Revert "Do not fail if /usr/sbin/nft is not present" This reverts commiteedb679db9. The nftables rules are not enabled now after [1] so reverting the original changes which are not needed. [1] https://git.centos.org/rpms/nftables/c/3730f48 Related-Bug: #1870095 Related-Bug: #1869166 Closes-Bug: #1887112 Change-Id: Ib3309cbbd6f2ca300ec205528402a3836a6f34df
This commit is contained in:
parent
72e20f3835
commit
9db0d36614
|
|
@ -68,35 +68,16 @@ outputs:
|
|||
include ::tripleo::firewall
|
||||
|
||||
host_prep_tasks:
|
||||
list_concat:
|
||||
- - name: Prevent Nftables to set up any rules
|
||||
copy:
|
||||
dest: /etc/sysconfig/nftables.conf
|
||||
content: |
|
||||
# This file has been explicitely emptied and disabled by TripleO
|
||||
# so that nftables and iptables do not race each other
|
||||
register: nftablesconf
|
||||
- when: nftablesconf is changed
|
||||
block:
|
||||
- name: Flush Nftables rules when nftables.conf changed
|
||||
shell: if [[ -x /usr/sbin/nft ]]; then /usr/sbin/nft flush ruleset; fi
|
||||
- name: Restart iptables to restore firewall after flushing nftables
|
||||
systemd:
|
||||
state: reloaded
|
||||
name: "{{item}}"
|
||||
loop:
|
||||
- iptables.service
|
||||
- ip6tables.service
|
||||
- if:
|
||||
- no_ctlplane
|
||||
- -
|
||||
name: Ensure ctlplane subnet is set
|
||||
fail:
|
||||
msg: |
|
||||
No CIDRs found in the ctlplane network tags.
|
||||
Please refer to the documentation in order to
|
||||
set the correct network tags in DeployedServerPortMap.
|
||||
- null
|
||||
if:
|
||||
- no_ctlplane
|
||||
-
|
||||
name: Ensure ctlplane subnet is set
|
||||
fail:
|
||||
msg: |
|
||||
No CIDRs found in the ctlplane network tags.
|
||||
Please refer to the documentation in order to
|
||||
set the correct network tags in DeployedServerPortMap.
|
||||
- null
|
||||
|
||||
deploy_steps_tasks:
|
||||
- when: step|int == 0
|
||||
|
|
|
|||
Loading…
Reference in New Issue