zuul/zuul-jobs
Code Issues Proposed changes

Use iptables for openSUSE

Browse Source 
In openSUSE Tumbleweed, the SuSEfirewall2 package was removed in favor
of firewalld[1]. This commit updates the iptables persistance tasks to
avoid using SuSEfirewall2 and instead use rc.local to restore saved
rules upon restart, and undefines the iptables_service variable for SUSE
since there is no service to restart any more. See the related change
for image builds[2].

[1] https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html
[2] https://review.opendev.org/683236

Change-Id: I0f8d74dd00df192c20b96a9368b964839c306171
This commit is contained in:
Colleen Murphy
2019-09-27 14:21:46 -07:00
committed by Colleen Murphy
parent 01f6c26e29
commit 18285584f1
3 changed files with 17 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
roles/persistent-firewall/tasks/persist/Suse.yaml
View File

@@ -10,27 +10,11 @@
content: "{{ ip6tables_rules.stdout }}" content: "{{ ip6tables_rules.stdout }}"
dest: "/etc/sysconfig/ip6tables" dest: "/etc/sysconfig/ip6tables"
- name: Set up SuSEfirewall2 custom rules to be loaded - name: Configure rc.local to restore saved rules on restart
become: yes
replace:
path: /etc/sysconfig/SuSEfirewall2
regexp: '^FW_CUSTOMRULES=.*$'
replace: 'FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"'
- name: Configure SuSEfirewall2 to restore saved rules on restart
become: yes become: yes
blockinfile: blockinfile:
path: /etc/sysconfig/scripts/SuSEfirewall2-custom path: /etc/init.d/boot.local
insertafter: EOF insertbefore: "exit 0"
content: | content: |
fw_custom_after_finished() { iptables-restore /etc/sysconfig/iptables
/usr/sbin/iptables-restore /etc/sysconfig/iptables ip6tables-restore /etc/sysconfig/ip6tables
/usr/sbin/ip6tables-restore /etc/sysconfig/ip6tables
}
- name: Ensure SuSEfirewall2 is started
become: yes
service:
name: SuSEfirewall2
state: started
enabled: yes

2
test-playbooks/multinode/multinode_firewall_persistence_vars/Suse.yaml
View File

@@ -1,2 +0,0 @@
iptables_service:
- SuSEfirewall2

12
test-playbooks/multinode/persistent-firewall.yaml
View File

@@ -34,6 +34,18 @@
when: iptables_service is defined when: iptables_service is defined
with_items: "{{ iptables_service }}" with_items: "{{ iptables_service }}"
# If there is no iptables service (ie on opensuse), run the rc file to apply the rules
- name: Check for boot.local
stat:
path: /etc/init.d/boot.local
register: boot_local_file
when: ansible_os_family == "Suse"
- name: Restore iptables
become: yes
command: "/etc/init.d/boot.local"
when: ansible_os_family == "Suse" and iptables_service is not defined and boot_local_file.stat.exists == True
- name: switch and peer nodes should be in the ipv4 firewall - name: switch and peer nodes should be in the ipv4 firewall
become: yes become: yes
command: iptables-save command: iptables-save