From 18285584f118e8b09f496923331097dd7b16c70b Mon Sep 17 00:00:00 2001 From: Colleen Murphy Date: Fri, 27 Sep 2019 14:21:46 -0700 Subject: [PATCH] Use iptables for openSUSE In openSUSE Tumbleweed, the SuSEfirewall2 package was removed in favor of firewalld[1]. This commit updates the iptables persistance tasks to avoid using SuSEfirewall2 and instead use rc.local to restore saved rules upon restart, and undefines the iptables_service variable for SUSE since there is no service to restart any more. See the related change for image builds[2]. [1] https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html [2] https://review.opendev.org/683236 Change-Id: I0f8d74dd00df192c20b96a9368b964839c306171 --- .../tasks/persist/Suse.yaml | 26 ++++--------------- .../Suse.yaml | 2 -- .../multinode/persistent-firewall.yaml | 12 +++++++++ 3 files changed, 17 insertions(+), 23 deletions(-) delete mode 100644 test-playbooks/multinode/multinode_firewall_persistence_vars/Suse.yaml diff --git a/roles/persistent-firewall/tasks/persist/Suse.yaml b/roles/persistent-firewall/tasks/persist/Suse.yaml index c37b46a95..d3d3a8f19 100644 --- a/roles/persistent-firewall/tasks/persist/Suse.yaml +++ b/roles/persistent-firewall/tasks/persist/Suse.yaml @@ -10,27 +10,11 @@ content: "{{ ip6tables_rules.stdout }}" dest: "/etc/sysconfig/ip6tables" -- name: Set up SuSEfirewall2 custom rules to be loaded - become: yes - replace: - path: /etc/sysconfig/SuSEfirewall2 - regexp: '^FW_CUSTOMRULES=.*$' - replace: 'FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"' - -- name: Configure SuSEfirewall2 to restore saved rules on restart +- name: Configure rc.local to restore saved rules on restart become: yes blockinfile: - path: /etc/sysconfig/scripts/SuSEfirewall2-custom - insertafter: EOF + path: /etc/init.d/boot.local + insertbefore: "exit 0" content: | - fw_custom_after_finished() { - /usr/sbin/iptables-restore /etc/sysconfig/iptables - /usr/sbin/ip6tables-restore /etc/sysconfig/ip6tables - } - -- name: Ensure SuSEfirewall2 is started - become: yes - service: - name: SuSEfirewall2 - state: started - enabled: yes + iptables-restore /etc/sysconfig/iptables + ip6tables-restore /etc/sysconfig/ip6tables diff --git a/test-playbooks/multinode/multinode_firewall_persistence_vars/Suse.yaml b/test-playbooks/multinode/multinode_firewall_persistence_vars/Suse.yaml deleted file mode 100644 index 01bce50fd..000000000 --- a/test-playbooks/multinode/multinode_firewall_persistence_vars/Suse.yaml +++ /dev/null @@ -1,2 +0,0 @@ -iptables_service: - - SuSEfirewall2 diff --git a/test-playbooks/multinode/persistent-firewall.yaml b/test-playbooks/multinode/persistent-firewall.yaml index 48d6cbe86..cee6009f4 100644 --- a/test-playbooks/multinode/persistent-firewall.yaml +++ b/test-playbooks/multinode/persistent-firewall.yaml @@ -34,6 +34,18 @@ when: iptables_service is defined with_items: "{{ iptables_service }}" + # If there is no iptables service (ie on opensuse), run the rc file to apply the rules + - name: Check for boot.local + stat: + path: /etc/init.d/boot.local + register: boot_local_file + when: ansible_os_family == "Suse" + + - name: Restore iptables + become: yes + command: "/etc/init.d/boot.local" + when: ansible_os_family == "Suse" and iptables_service is not defined and boot_local_file.stat.exists == True + - name: switch and peer nodes should be in the ipv4 firewall become: yes command: iptables-save