Initialize ip(6)tables "raw" table

With RHEL8, we apparently hit an issue where the "raw" table doesn't exist. While this is worked around during the deploy, we need to ensure this table does exist upon reboot. This patch creates 2 systemd unit in order to ensure this table is present in both iptables and ip6tables. They are to be launched before the ip(6)tables.service in order to allow the standard rules to be loaded at boot time. Those units will probably be removed once we have an updated iptables package. Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1673609 Change-Id: I5334ac3e8080700d77e7a1de3330fdad76bc633f
2019-05-22 11:16:53 +02:00
parent 45a94c8710
commit e97d4dcfd2
1 changed files with 47 additions and 0 deletions
@@ -55,6 +55,53 @@ outputs:

      step_config: |
        include ::tripleo::firewall
+      deploy_steps_tasks:
+        - when: step|int == 0
+          block:
+            - name: create iptables service
+              copy:
+                dest: /etc/systemd/system/tripleo-iptables.service
+                content: |
+                  [Unit]
+                  Description=Initialize iptables
+                  Before=iptables.service
+                  AssertPathExists=/etc/sysconfig/iptables
+
+                  [Service]
+                  Type=oneshot
+                  ExecStart=/usr/sbin/iptables -t raw -nL
+                  Environment=BOOTUP=serial
+                  Environment=CONSOLETYPE=serial
+                  StandardOutput=syslog
+                  StandardError=syslog
+                  [Install]
+                  WantedBy=basic.target
+            - name: enable tripleo-iptables service
+              service:
+                enabled: yes
+                name: tripleo-iptables.service
+            - name: create ip6tables service
+              copy:
+                dest: /etc/systemd/system/tripleo-ip6tables.service
+                content: |
+                  [Unit]
+                  Description=Initialize ip6tables
+                  Before=ip6tables.service
+                  AssertPathExists=/etc/sysconfig/ip6tables
+
+                  [Service]
+                  Type=oneshot
+                  ExecStart=/usr/sbin/ip6tables -t raw -nL
+                  Environment=BOOTUP=serial
+                  Environment=CONSOLETYPE=serial
+                  StandardOutput=syslog
+                  StandardError=syslog
+                  [Install]
+                  WantedBy=basic.target
+            - name: enable tripleo-ip6tables service
+              service:
+                enabled: yes
+                name: tripleo-ip6tables.service
      upgrade_tasks:
        - when: step|int == 3
          block: