Merge "Revert "[train/backport] Prevent nftables to interfere with tripleo firewall"" into stable/train

This commit is contained in:
Zuul 2020-07-15 20:22:32 +00:00 committed by Gerrit Code Review
commit a8c4160ec5
1 changed files with 10 additions and 29 deletions

View File

@ -68,35 +68,16 @@ outputs:
include ::tripleo::firewall include ::tripleo::firewall
host_prep_tasks: host_prep_tasks:
list_concat: if:
- - name: Prevent Nftables to set up any rules - no_ctlplane
copy: -
dest: /etc/sysconfig/nftables.conf name: Ensure ctlplane subnet is set
content: | fail:
# This file has been explicitely emptied and disabled by TripleO msg: |
# so that nftables and iptables do not race each other No CIDRs found in the ctlplane network tags.
register: nftablesconf Please refer to the documentation in order to
- when: nftablesconf is changed set the correct network tags in DeployedServerPortMap.
block: - null
- name: Flush Nftables rules when nftables.conf changed
shell: if [[ -x /usr/sbin/nft ]]; then /usr/sbin/nft flush ruleset; fi
- name: Restart iptables to restore firewall after flushing nftables
systemd:
state: reloaded
name: "{{item}}"
loop:
- iptables.service
- ip6tables.service
- if:
- no_ctlplane
- -
name: Ensure ctlplane subnet is set
fail:
msg: |
No CIDRs found in the ctlplane network tags.
Please refer to the documentation in order to
set the correct network tags in DeployedServerPortMap.
- null
deploy_steps_tasks: deploy_steps_tasks:
- when: step|int == 0 - when: step|int == 0